chapter 13-802.11 network security architecture 802.11 security basics legacy 802.11 security robust...

38
Chapter 13-802.11 Network Security Architecture • 802.11 Security Basics • Legacy 802.11 security • Robust Security • Segmentation • Infrastructure Security • VPN wireless Security

Upload: polly-pitts

Post on 28-Dec-2015

228 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Chapter 13-802.11 Network Security Architecture

• 802.11 Security Basics

• Legacy 802.11 security

• Robust Security

• Segmentation

• Infrastructure Security

• VPN wireless Security

Page 2: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Exam Essentials• Define the concept of AAA.

– Be able to explain the differences between authentication, authorization, and accounting and why each is needed for a WLAN network.

• Explain why data privacy and segmentation are needed. – Be able to discuss why data frames must be protected with encryption.

Know the differences between the various encryption ciphers. Understand how VLANs and RBAC mechanisms are used to further restrict network resources.

• Understand legacy 802.11 security. – Identify and understand Open System authentication and Shared Key

authentication. Understand how WEP encryption works and all of its weaknesses.

• Explain the 802.1X/EAP framework. – Be able to explain all of the components of an 802.1X solution and the

EAP authentication protocol. Understand that dynamic encryption key generation is a by-product of mutual authentication.

Page 3: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Exam Essentials• Define the requirements of a robust security network

(RSN). – Understand what the 802.11-2007 standard specifically defines

for robust security and be able to contrast what is defend by both the WPA and WPA2 certifications.

• Understand TKIP/RC4 and CCMP/AES. – Be able to explain the basics of both dynamic encryption types

and why they are the end result of an RSN solution.

• Explain VLANs and VPNs. – Understand that VLANs are typically used for wireless

segmentation solutions. Define the basics of VPN technology and when it might be used in a WLAN environment.

Page 4: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Wireless Security• Data Privacy and Authentication

• What attacks are there

• What defenses are there

Page 5: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

802.11 Security basics• Data Privacy

• Authentication, Authorization, Accounting

• Segmentation

• Monitoring

• Policy

Pg 438

Page 6: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

802.11 Security basics• Wireless tend to be a portal to existing, secure

networks• Wireless needs to be protected as well

– Too easy to capture

• Use authorization to prevent access to internal network resources– Then regular authentication for network resources

• 802.11i and the RSN improved the reputation of wireless

Pg 438

Page 7: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Data Privacy• Since wireless is in unlicensed frequency, easy

to detect transmissions• Data privacy is used to restrict access to the

data– Encryption Algorithms– RC4 and AES

• Management Frames not encrypted• The MSDU from the data frames is encrypted

– Layer 2 encryption

Pg 439

Page 8: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Authentication, Authorization, Accounting (AAA)

• Authentication– Verification of user identity and credentials

• Authorization– Granting access to network resources based

on authentication

• Accounting– Tracking the use of network resources by

users

Pg 439

Page 9: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Authentication, Authorization, Accounting (AAA)

• 802.11i and the RSN provided AAA standards for wireless networks

• Accounting trail is necessary for many government regulation

Pg 439

Page 10: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Segmentation• Before good encryption on wireless networks,

they were segmented (separated) from wired– Untrusted

• Still important to keep different kinds of traffic separate on the networks– Firewalls, routers, VPNS, VLANS– Wireless VLAN is mores common

• Related to Role Based Access Control (RBAC)

Pg 440

Page 11: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Monitoring and Privacy• Need to monitor network to prevent

attacks

• Using a Wireless Intrusion Detection system can help

Pg 440

Page 12: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Legacy Security• Open System Authentication

– Null authentication, everyone gets in

• Shared Key– Used the WEP key as source

• WEP key was static, and same for everyone. – Major security risk.

Pg 440

Page 13: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Static WEP• Wired Equivalent Privacy is layer 2

encryption– RC4 with 64 or 128 bit key

• Confidentiality, access control and data integrity were goals

• Static WEP was on both AP and clients– Up to 4 keys, but all must match

Pg 442

Page 14: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Static WEP

Pg 442

WEP runs a cyclic redundancy check (CRC) on the plaintext data that is to be encrypted and then appends the Integrity Check Value (ICV) to the end of the plaintext data. A 24-bit cleartext Initialization Vector (IV) is then generated and combined with the static secret key. WEP then uses both the static key and the IV as seeding material through a pseudorandom algorithm that generates random bits of data known as a keystream. These pseudorandom bits are equal in length to the plaintext data that is to be encrypted. The pseudorandom bits in the keystream are then combined with the plaintext data bits by using a Boolean XOR process. The end result is the WEP ciphertext, which is the encrypted data. The encrypted data is then prefxed with the cleartext IV. Figure 13.3 illustrates this process.

Page 15: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Static WEP• Attacks

– IV Collisions– Weak Key– Reinjection– Bit-Flipping

• Easy to crack WEP

Pg 442

Page 16: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

MAC Filters• Have AP use only approved MAC

addresses– Not part of the standard

• Too easy to spoof a MAC address– Use protocol analyzer to grab MAC address

and then use it on your own machine

Pg 444

Page 17: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

SSID Cloaking• Hide the SSID

• The SSID field appears blank in beacon frames and probe responses

• A protocol Analyzer will see the SSID field in actual data frames

Pg 444

Page 18: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Robust Security• The 802.11-2007 standard defines an

enterprise authentication method as well as a method of authentication for home use.

• Requires the use of 802.1x/EAP for enterprise and use of PSK for SOHO

• Strong Encryption required as well– CCMP/AES– TKIP/RC4

Pg 445

Page 19: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Robust Security• WiFi Alliance created WPA and WPA2

– WPA before 802.11i– WPA2 after

Pg 445

Page 20: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Robust Security Network• Robust Security Network Associations

– How two stations authenticate and associate– Create dynamic encryption through a 4 way

handshake

• CCMP/AES is mandatory• TKIP/RC4 is optional• RSN field is in the beacon

– RSN Information Elelement– Defines supported cipher elements

Pg 446

Page 21: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

802.1x/EAP• Not specific to wireless• Port based authentication• Three players• Supplicant

– Client that wants access

• Authenticator– System that accepts requests (AP)

• Authentication Server– Database of users– RADIUS server

Pg 446

Page 22: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

802.1x/EAP

Pg 446

Page 23: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

802.1x/EAP• EAP allows for different authentication systems

to be used• Defines when traffic moves from the

uncontrolled to the controlled port

Pg 446

Page 24: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

EAP Types• Many EAP types

– LEAP,PEAP, etc

• One way or mutual authentication– Mutual authentication usually requires the AP

to provide a digital certificate to client that they can verify

Pg 450

Page 25: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Dynamic Encryption• Since 802.1x/EAP can provide for

distribution on certificates it is often used to help with encryption

• Generate encryption keys during the authentication process– Much better than a static key that is used by

everyone

• Keys are generated per session/per user– Every authentication, new key

Pg 450

Page 26: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

4 Way Handshake• The RSNA process creates multiple keys

– Group Master Key (GMK)– Pairwise Master Key (PMK)

• PMK can also be created from a Pre-Shared Key (PSK)

Pg 452

Page 27: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

WPA/WPA-2 Personal• In 802.1x/EAP you need an authentication

server– Like RADIUS

• Most SOHO implementations use pre-shared Keys (PSK)– PSK is still a security risk

• PSK isn’t used for encryption on all stations– Each creates own encryption keys

Pg 453

Page 28: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Encryption Options• TKIP uses RC4

– Like WEP– Optional solution

• Can help legacy devices support better encryption than WEP

• CCMP/AES– Much more secure– Requires hardware support

Pg 453

Page 29: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Segmentation• Dividing up network to restrict access to

resources– VLANs– RBAC

Pg 454

Page 30: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

VLANs• Common on wired networks

• With 802.11, map VLAN to specific SSIDs

• APs can support multiple SSIDs– Wireless VLANS

• Each VLAN has different access to internal network and other networks

Pg 457

Page 31: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

VLANs

Page 32: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

RBAC• Restrict Access to authorized users• When set up with a WLAn controller, RBAC can

divide access based on users, roles or permission

• Roles like sales or marketing• Permissions

– Layer 2 or 3 access– Layer 4-7 firewalls– Bandwidth

• When user authenticates, their access is dependant on user credentials– Like traditional wired networks

Pg 457

Page 33: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Infrastructure Security• Physical

– Don’t want expensive APs walking away

• Interface Security– Limit access to the management functions– Turn off the ones not in use

Pg 458

Page 34: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

VPN Wireless Security• VPNs were often used by systems before

802.11i

• Not recommended now since there are other measures

• Still required for remote access– When connecting through Public Hot Spots

Pg 459

Page 35: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Layer 3 VPN• VPNs use secure tunneling

– Encapsulate one network layer packet in another

– Encapsulated packet has “hidden” data

• Outside packet has public addresses for transmitting over network.

Pg 459

Page 36: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Layer 3 VPN

Pg 459

Page 37: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Exam Essentials• Define the concept of AAA.

– Be able to explain the differences between authentication, authorization, and accounting and why each is needed for a WLAN network.

• Explain why data privacy and segmentation are needed. – Be able to discuss why data frames must be protected with encryption.

Know the differences between the various encryption ciphers. Understand how VLANs and RBAC mechanisms are used to further restrict network resources.

• Understand legacy 802.11 security. – Identify and understand Open System authentication and Shared Key

authentication. Understand how WEP encryption works and all of its weaknesses.

• Explain the 802.1X/EAP framework. – Be able to explain all of the components of an 802.1X solution and the

EAP authentication protocol. Understand that dynamic encryption key generation is a by-product of mutual authentication.

Page 38: Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN

Exam Essentials• Define the requirements of a robust security network

(RSN). – Understand what the 802.11-2007 standard specifically defines

for robust security and be able to contrast what is defend by both the WPA and WPA2 certifications.

• Understand TKIP/RC4 and CCMP/AES. – Be able to explain the basics of both dynamic encryption types

and why they are the end result of an RSN solution.

• Explain VLANs and VPNs. – Understand that VLANs are typically used for wireless

segmentation solutions. Define the basics of VPN technology and when it might be used in a WLAN environment.