Wireless Technology Seminar

Transcription

1 Wireless Technology Seminar

2 Introduction Adam Worthington Network Consultant

3 Wireless LAN Why? Flexible network access for your users? Guest internet access? VoWIP? RFID?

4 Available Wireless LAN Technologies

5 802.11b First widely adopted commercially available wireless technology Data rates up to 11mbps. Operates in 2.4Ghz waveband 3 non-overlapping channels Good Signal Propagation

6 802.11g Backward compatible with b Data rates up to 54Mbps Operates in 2.4Ghz waveband 3 non-overlapping channels Good signal propagation

7 802.11a Least adopted of the three standards in the UK Data rates up to 54Mbps Operates in the cleaner 5Ghz waveband 8 non-overlapping channels Worst signal propagation

8 802.11: Emerging Standards e - Enhancements: QoS, including packet bursting i - Enhanced security (WPA2)

9 WLAN Solution: What Should It Provide A Wireless LAN Solution Should: Authenticate devices/users Encrypt data Ensure data integrity Allow guest access Plan and manage RF coverage Detect ad hoc or rogue users Identify rogue APs Protect against and locate the source of DoS and manin-the-middle attacks

10 Different Wireless Solution Types Standalone (FAT) AP Appliance/VPN Solution Wireless LAN Switch/Controller

11 Standalone AP Cisco, 3com, Proxim Good, Flexible Feature Set Highest Management Overhead Worst physical security Requires additional management software/appliance for network RF awareness

12 Appliance/VPN Solution Vernier/HP, Cisco Central security management Excellent IP layer security Good physical security Limited support for Broadcast/Multicast/non- IP No concept of RF. Channel, power and layer 2 security must be managed on AP, possibly assisted by external management software.

13 Wireless LAN Switch/Controller Solution Cisco, Trapeze/3com, Aruba Central security and RF management Excellent wireless security Good physical security Best RF control e.g. dynamic power and channel allocation Support for advanced wireless technologies e.g. RFID

14 WLAN Security: Levels of protection Authentication Data Origin Protection Data Integrity Protection Confidentiality

15 802.11i: Security For The Air IEEE i (WPA2) defines a new type of wireless network called a robust security network (RSN). Strong authentication: 802.1x Strong encryption: TKIP and AES

16 802.1x Authentication Supplicant Authenticator Authentication Server

17 802.1x and EAP Originally defined for use with PPP Truly Extensible, does not force users into certain types of authentication.

18 802.1x: Initial Connection Client AP Client scans the air looking for a network Client joins one of the networks and performs open-system Authentication Client sends association request Access Point sends client association ID Start 802.1x authentication (EAP over LAN, Start) Access Point queries who are you?

19 EAP: Which Type? EAP-TLS PEAP/MS-CHAPv2 EAP-TTLS

20 Client PEAP Stage 1: TLS Handshake AP RADIUS Server Hi I m Adam, here s my Network Access Identity (NAI, includes my username, my random number and a list of cryptographic algorithms I support). AP forwards Radius Access Request with NAI Got it. I ll decrypt the pre-master secret with my private key. I ll derive the keying material. It s the same as your keying material. Now we can bidirectionally encrypt and integrity check the session. Okay, here s my random number. I ve looked at your list and we ll use 128- bit RC4 encryption and MD5 message integrity checking. I ll also send you my certificate. Okay, I ve checked your certificate and you re authenticated. Now I ll generate and send you the premaster secret encrypted with your public key. With this we can each derive keying material to be used to encrypt this TLS session.

21 Client PEAP Stage 2: MS-CHAPv2 Authentication AP RADIUS Server Who are you? I ve told you once I m Adam. Okay, I ll use my password and a hash function to create a response to your challenge. I ve also got a challenge for you. Okay, I m RADIUS1. We ll use MS- CHAPv2 for authentication, here s a challenge for you. I m happy with your response to my challenge, here s a response to your challenge. I m happy with your response to my challenge, AP, let s talk. RADIUS server sends the access point a RADIUS accept message including any configured authorisation attributes (VLAN ID etc.) Authentication complete

22 Encryption i (also known as WPA2) using counter-mode/cbc-mac protocol (CCMP) Wi-Fi Protected Access (WPA) using TKIP Dynamic WEP Dynamic WEP with Broadcast/Multicast Key Rotation

23 Pre i Roaming Hand off Discovery phase Association (or re-association) with second AP requires full EAP exchange Total time to associate hundreds of milliseconds

24 802.11i Fast Handoff Hand off Discovery phase Association (or re-association) PMK Cached, straight to four-way handshake Total time to associate tens of milliseconds

25 Rogue Users and AP s Types of rogue Employee installed unsanctioned AP Employee AD-HOC network Unauthorised intruder or hacker Bug-light AP

26 Employee Installed Unsanctioned AP Unsanctioned AP Corporate Network Wireless Client

27 Employee AD-HOC network Corporate Network

28 Unauthorised Intruder or Hacker They don t all use Pringles cans!

29 Bug-Light AP Rogue PEAP With Network Stage 12 Access Rogue AP Legitimate AP Legitimate Client RADIUS Server

30 Rogue Detection and Location Manual detection: IT Manager with Airmagnet, AiroPeek, Sniffer Wireless etc. Wireless IDS: AirDefense etc. Solution integrated with wireless LAN: Cisco, Trapeze etc.

31 To Catch a Rogue Detection Location Action

32 How These Concepts May Apply to Your WLAN Guest internet access provided by FroDo Web-AUTH solution Unit LAN access managed locally and secured by WPA2

33 Bridging Access Point Sample Topology Bridging Access Point PC PC PC Switch Supporting Multiple VLANs Wireless Switch FroDo University backbone network Main Unit VLAN FroDo Guest Wireless VLAN VLAN Trunk Carrying All VLANs Wireless Hardware VLAN

34 Conclusion Security is key Many options, choose the one that fits best.