implementing network security – wireless security segway! steve lamb technical security advisor ...
TRANSCRIPT
![Page 1: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/1.jpg)
Implementing Network Security – Wireless Security Segway!
Steve Lamb
Technical Security Advisor
http://blogs.msdn.com/steve_lamb
![Page 2: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/2.jpg)
So what’s the problem?• WEP is a euphemism
– Wired– Equivalent– Privacy
• Actually, it’s a lie– It isn’t equivalent to “wired privacy” at all!– How can you secure the air?
• Thus: WEP’s v.poorhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
![Page 3: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/3.jpg)
WLAN Security ChallengesUnsecured WLAN
• Most wireless LANs are unsecured
maimailto:
lto:bosboss@s@
cocompmpany
any.tld.tld
mailto:[email protected]:[email protected]
WLAN WLAN AccessAccessPointPoint
Company ServersCompany Servers
Mobile EmployeeMobile Employee
Evil HackerEvil Hacker
![Page 4: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/4.jpg)
WLAN Security Challenges Weak Security in 802.11 Static WEP
X7!g%k0j37**54bf(jv&8gFX7!g%k0j37**54bf(jv&8gF……
X7!gX7!g%k0j
%k0j37**37**54bf
54bf(jv(jv&8g&8gB)B)
£F..£F..
Thank goodness we use encryption!
![Page 5: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/5.jpg)
Other 802.11 Challenges
• Access Points are dim!• Key Management (!!!!)
– Manual update = never changed!
• Access Control with MAC address filtering– = NO SECURITY!
• Neither is scalable
Authentication
Authorization
Data Protection
Audit
WirelessClient
WirelessAccess Point
![Page 6: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/6.jpg)
WLAN Security Challenges Weak Security in 802.11 Static WEP
• Static WEP key easily obtained for encryption / authentication
X7!g%k0jX7!g%k0j37**54bf(jv37**54bf(jv&8gB)£F..&8gB)£F..
X7!g%k0j37**54bf(jv&8gF…X7!g%k0j37**54bf(jv&8gF…
X7!gX7!g%k0j%k0j37**37**
54bf54bf(jv(jv
&8g&8gB)B)
£F..£F..
HAHAHAHA!I have the keys to your kingdom!
Thank goodness we use encryption!
![Page 7: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/7.jpg)
WLAN Security ChallengesWeak Security in 802.11 Static WEP
• Man in the middle attacks are difficult to detect & prevent
X7!g%k0j37**
X7!g%k0j37**
Rogue NetworkRogue Network
X7!g%k0j37**
X7!g%k0j37**
*All your data are belong to us...
Now where was that sensitive financial data...
![Page 8: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/8.jpg)
Alternatives to WEP
![Page 9: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/9.jpg)
VPNs
• Pros– Familiarity– Hardware Independent– Proven Security
• Cons– Lacks user transparency– Only user logon (not
computer)– Roaming profiles, logon
scripts, GPOs broken, shares, management agents, Remote desktop
– No reconnect on resume from standby
– Complex network structure
![Page 10: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/10.jpg)
VPNs
• More Cons– No protection for
WLAN– Bottleneck at VPN
devices – Higher management &
hardware cost– Prone to disconnection
• Yet more cons! (non-MS VPNs)– 3rd party licensing
costs– Client compatibility– Many VPN auth
schemes (IPsec Xauth) are as bad as WEP!
![Page 11: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/11.jpg)
PEAP encapsulation1. 1. Server authenticates to client
2. 2. Establishes protected tunnel (TLS)
3. 3. Client authenticates inside tunnel to server
• No cryptographic binding between PEAP tunnel and tunneled authN method
• Fix: constrain client (in GPO) to trust only a specific corporate root CA– Foils potential MitM attacks
![Page 12: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/12.jpg)
EAP architecture
TLSTLSTLSTLS GSS_APIKerberos
GSS_APIKerberos
PEAPPEAP IKEIKE MD5MD5
EAPEAP
PPPPPP 802.3802.3 802.5802.5 802.11802.11 Anything……Anything……
methodlayer
methodlayer
EAPEAPlayerlayerEAPEAPlayerlayer
mediamedialayerlayer
mediamedialayerlayer
MS-C
HA
Pv2
MS-C
HA
Pv2
TLS
TLS
Secu
rIDSecu
rID
![Page 13: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/13.jpg)
802.1X over 802.11SupplicantSupplicant AuthenticatorAuthenticator
AuthenticationServer
AuthenticationServer
802.11 association
EAPOL-start
EAP-request/identity
EAP-response/identityEAP-response/identity RADIUS-access-request
EAP-requestEAP-request RADIUS-access-challenge
EAP-response EAP-response (credentials)(credentials)
RADIUS-access-request
EAP-successEAP-success RADIUS-access-accept
Access allowedAccess allowed
EAPOW-key (WEP)
GottGottaa
get get on!on!
Calculating Calculating this guy’s this guy’s
key…key…
AccessAccessblockedblocked
CalculatingCalculatingmy key…my key…
(Wow I just (Wow I just don’t don’t
understand understand this new this new maths!)maths!)
![Page 14: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/14.jpg)
Session Summary
• Windows XP has great wireless security features• There’s extensive prescriptive guidance available from our
website• Don’t be scared of wireless!
![Page 15: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/15.jpg)
Next Steps• Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
• Sign up for security communications:http://www.microsoft.com/technet/security/signup/default.mspx
• Check out Security360http://www.microsoft.com/seminar/events/series/mikenash.mspx
• Get additional security tools and content:http://www.microsoft.com/security/guidance
![Page 16: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/16.jpg)
Resources• Microsoft Wi-Fi Page: http://www.microsoft.com/wifi
• The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/
• Intercepting Mobile Communications: The Insecurity of 802.11 http://www.drizzle.com/~aboba/IEEE/wep-draft.zip
• Fluhrer, Mantin, Shamir WEP Paper: http://www.crypto.com/papers/others/rc4_ksaproc.pdf
• WiFi Planet: http://www.wi-fiplanet.com/
• Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) http://www.microsoft.com/technet/security/guidance/peap_0.mspx
• Microsoft Solution for Securing Wireless LANs with Certificates
• http://www.microsoft.com/technet/security/prodtech/win2003/pkiwire/swlan.mspx
• Wifi for SOHO Environments http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx
![Page 17: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/17.jpg)
Credits
• Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I “borrowed” several of their slides!
![Page 18: Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor stephlam@microsoft.com](https://reader033.vdocument.in/reader033/viewer/2022061305/55141c52550346dd488b55f4/html5/thumbnails/18.jpg)
Questions and Answers