WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

Transcription

1 WLAN Security.. from this... Security Architectures and Protocols in Wireless LANs (Section 3) 1 2 WLAN Security.. to this... How Security Breaches Occur 3 War (wide area roaming) Driving/War Chalking Passing by in cars, pedestrians Attack software available on Internet to assist Access to an insecure WLAN network is potentially much easier than to a fixed network Without authentication and encryption, WLANs are extremely vulnerable IDS must be monitored as with a fixed network Anybody with shareware tools, WLAN card, antenna and GPS is capable of war driving 4 Wireless LAN - Good Security Principles 5 WLAN - Good Security Principles Problems with bad WLAN architecture Located behind firewall in trusted network No authentication Best to locate on DMZ with authentication Must consider security options: Infrastructure design to enhance security? Open access or MAC restricted? Implement WEP or not? Problem with rogue WLAN Can give access to trusted network as connection/installation as easy as connecting to 6 a hub and without knowledge of administrator 1

2 WLAN - Good Security Principles Wireless LAN - out of the box Enable WEP (in spite of some issues) Change default/identifiable SSID (Service Set Identifier) as network name not encrypted Use products with dynamic key generation or security architectures which do the same Do not use MAC address Authentication - tools are readily available to sniff a MAC address 7 WLAN - Good Security Principles Use MAC filters - particularly for lost or stolen cards, VPNs and encryption tunnels to control access Lock down access point management interfaces and use anti-virus and firewall systems Implement Layer 3 (or higher) functions: IEEE 802.1x which supports EAP (Extensible Authentication Protocol) AAA (Authentication, Authourisation and Accounting) WEP dynamic session keys Directory Enabled Authentication 8 PBNM (Policy Based Network Management) WLAN - Good Security Principles WEP (basic) Enable WEP to make attacks difficult Choose WEP key not in dictionaries Association Block association by MAC Address Restrict DHCP to selected MAC address clients Firewall filters On a need to know basis Isolate to specific segment 9 Example of War Driving in Hong Kong* Background: Dates: 7 July, 2002 and 5 Oct, 2003 Equipment: Notebook + Avaya Gold Wireless LAN card + Windows XP + NetStumbler Notebook + Avaya Gold Wireless LAN card + Antenna + Windows NetStumbler *Ref: War Driving Comparison - (July, 2002 and 5 Oct, 2003) War Driving in Hong Kong Route: Admiralty MTR Stations -> Pacific Place -> Tram (Admiralty to Kennedy Town) -> Tram (Kennedy Town to Causeway Bay) 11 2

3 War Driving in Hong Kong Results Number of Discovered Access Point with antenna: 187 (2002), up to 784 (2003) Number of Discovered Access Point without antenna: 52 (subset of above) War Driving in Hong Kong Result WEP Usage: WEP Enable: 43 WEP Disable: 144 (2002) WEP Usage: WEP Enable: 142 WEP Disable: 474 (2003) 30% (2003) 70% (2003) War Driving in Hong Kong Results (2002 and 2003) SSID Usage: Default SSID: 77 Use Non Default SSID: 87 Unknown: 5 Other: 18 War Driving in Hong Kong Result Channel ID Setting Behaviour and Distribution: 43% (2003) Other means well known SSID, ie PCCW & i-cable Some of the Default SSID list is referenced from tm Most common channels still 1, 6 and 11 (2003) Final Comments on the Hong Kong Experiment... The Hong Kong study demonstrated than there has been little improvement in the use of WEP and non-default SSID The range reached in these experiments was 10 km!! (Sau Mou Ping - Victoria Peak) In another test direct drive from Melbourne airport to the city (September 2003) revealed 19 unprotected Wireless LAN networks Test in San Francisco revealed 140 WLANs from a central city point No WEP WLAN - Security Options WEP Shared Key IEEE802.1x with EAP - SRP, MD5 PEAP, EAP-TLS, TTLS, LEAP (CISCO) WPA (Wi-Fi Protected Access) using TKIP & MIC RADIUS Authentication Kerberos Authourisation Security Level VPN using IPSec WPA2/AES (Future) 18 3

4 WEP Security Features WEP (Wired Equivalent Privacy) RC4 encryption Uses 40 or 104 bit shared key + 24 bit IV Encrypts payload while frame is in the air Wireless LAN Encrypted by WEP Wired LAN Not encrypted by WEP Traffic flow WEP Security Features WEP Encryption / Decryption WEP (Wired Equivalent Privacy) WEP has two main design goals: Protection from eavesdropping Prevent unauthourised access IEEE defines mechanism for encrypting frames using WEP as follows... Combine /add Exclusive-OR WEP Encryption / Decryption WEP Encryption Plaintext Message CRC X-OR Keystream = RC4(iv,k) Combine /add Exclusive-OR 23 iv Ciphertext Transmitted Data k = key iv = Initialisation Vector RC4 = Rivest Cipher 4 Stream Cipher 24 4

5 WEP Decryption WEP Security Features X-OR iv k = key iv = Initialisation Vector Ciphertext Transmitted Data Keystream = RC4(iv,k) Plaintext Message CRC Protocol for encryption and authentication Operation based upon RC4 symmetric cipher with shared symmetric key 40-bit key with a 24-bit IV (Initialisation Vector) 104-bit keys (+24-bit IV) also possible Integrity check using CRC-32 IV used to avoid encrypting two plaintexts with same key by augmenting shared RC4 key and thus produce different RC4 key for each packet RC4 = Rivest Cipher 4 Stream Cipher WEP Security Features WEP was never intended to be complete end-to-end solution Business policy will dictate if additional security mechanisms required such as: access control, end-to-end encryption, password protection, authentication, VPNs, firewalls, etc WECA believe many reported attacks are difficult to carry out IEEE working on extensions to WEP 27 (IEEE i) WEP Symmetric Key Operation Secret Message over Wireless LAN Symmetric Key Symmetric Key Secret Message over Wireless LAN The same symmetric (RC4) key is used to encrypt and decrypt the data WEP Integrity Check Using CRC-32 Message Message CRC-32 Polynomial Match CRC-32 WEP Security Weaknesses Number of flaws discovered in WEP: Passive attacks to decrypt traffic using statistical analysis Active attacks - inject new traffic from unauthourised stations based upon known plaintext Active attacks to decrypt traffic based upon tricking the AP (Access Point) Dictionary-building attacks. After analysis of about a days traffic, realtime automated decryption of all traffic is possible Integrity check used to ensure packets not modified during transit Need for user/node Authentication (EAP/802.1x) 30 5

6 WEP Security Weaknesses These attacks possible with inexpensive off-the-shelf equipment (opinion) These attacks apply to both 40-bit and 104- bit versions of WEP These also apply to any version of the IEEE standards (802.11b in particular) that use WEP IEEE i recommend replacement of WEP by WPA and ultimately AES 31 WEP Security Weaknesses Both IC (Integrity Check) & IV (Initialisation Vector) implementations have weaknesses: IC using CRC-32 designed for detecting line errors, not as security mechanism, therefore has vulnerabilities (not a digital signature) Use of a 24-bit IV guarantees reuse within 5 hours or less (operating with 1500 byte packets at 11 Mbps). Hence attacker has multiple ciphertexts encrypted with same 32 key. WEP Security Weaknesses WEP standard does not discuss how shared keys are established Most installations use single key shared between all mobile stations & access points More sophisticated key management disciplines (PKI + IKE) can be used to improve attack defence. Few commercial systems implement such systems yet 33 Enhancements to WEP Ongoing development: WEP being enhanced (WPA, TKIP, AES) Increases size of IV space to 48 or 128 bits Key may be changed periodically via IEEE 802.1x re-authentication to avoid staleness Message Integrity Check (MIC) adds key to layer 2 WEP payload to prevent common attacks Re-authentication option for reassociate Protection against common attacks Kerberos for authentication within IEEE 802.1x Although security is improving, additional solutions may be required (policy) 34 IEEE 802.1x and EAP (Extensible Authentication Protocol) IEEE802.1x Model Implementation

7 IEEE802.1x Model Implementation 802.1X (EAPoL) b/g EAP-TLS EAP Out of scope of standard Wireless Client Access Point Authentication Server RADIUS IEEE 802.1x Authentication Synopsis: Defines generic framework for port-based MAC authentication (not user) and key distribution Authenticates before giving access to network IEEE 802.1x provides carrier for secure delivery of session keys between supplicant and authenticator Requires central RADIUS server running EAP EAP acts an authenticator (eg Ethernet switch or wireless AP) and authenticates a supplicant 38 (Ethernet or Wireless NIC) by consulting an authentication server such as RADIUS or Kerberos IEEE 802.1x Authentication Synopsis contd: IEEE 802.1x - implemented with different EAP types 1. EAP-MD5 for Ethernet LANs (= Wireless CHAP) 2. EAP-TLS for IEEE b WLANs but supplicant and authenticator must be able to handle digital certificates - hence PKI/CA infrastructure may be required 3. EAP-SRP (Secure Remote Password) authentication 4. CISCO - LEAP, FAST 5. Microsoft - PEAP 39 WLAN Security with 802.1X/EAP Supplicant (Client) or Encryption / Authentication Encryption / Authentication Access Point / Authenticator EAP Authentication (MD5, Wireless CHAP, TLS, LEAP, etc) 802.1X / EAPoL RADIUS RADIUS Authentication Server 40 WLAN Security with 802.1X/EAP 7. Negotiation [EAPoL] 6. Forwards challenge + EAP Type [EAPoL] 3. Client Identity IEEE 802.1x [EAPoL] 2. Request Identity IEEE 802.1x [EAPoL] 1. Request Connection IEEE 802.1x [EAPoL] 10. Secure Connection Established 9. RADIUS Server Accepts [RADIUS] 8. Response Forwarded [RADIUS] 5. Challenge + EAP Type [RADIUS] 4. Access Request [RADIUS] WLAN Security with 802.1X/EAP EAP carries authentication dialogue: client (supplicant) AAA server (authenticator) EAPOL (EAP Over LAN) - encapsulation technique for EAP packets in WLAN using IEEE 802.1x EAP/RADIUS carries EAP over fixed network AAA authourises session on behalf of AP Includes WEP keys from AP WEP keys from client created during/after EAP dialogue IEEE b Ethernet Access Client Point Server 7

8 WLAN Security with EAP 43 WLAN Security with EAP Extensible Authentication Protocol checklist: Does it provide for secure exchange of user information during authentication? Does it permit mutual authentication of the client and network thus preventing intrusion? Does it require dynamic encryption keys for user and session? Does it support generation of new keys at set intervals? Is it easy to implement and manage, eg EAP- TLS requires client-side certificates? 44 EAP (Extensible Authentication Protocol) RFC 2284 Many basic protocols such as PAP, CHAP and WEP offer very limited security EAP over IEEE802.1x provides extensions to allow arbitrary authentication mechanisms to validate connection (eg PPP, IEEE b, etc) EAP can link to 3rd party plug-in authentication modules: EAP (Extensible Authentication Protocol) RFC 2284 contd... EAP is available with Windows 2000 & XP Common EAP authentication types include: 1. EAP-SRP (Secure Remote Password) offers a cryptographically strong user authentication mechanism suitable for negotiating secure connections and performing secure key exchange using a user-supplied password 2. MD5 (Message Digest 5) - Wireless CHAP. Also released as PEAP - encrypts EAP Token cards, PKI, vendor specific options transaction in tunnel (Windows XP) EAP (Extensible Authentication Protocol) RFC 2284 contd LEAP (Lightweight EAP) and FAST (Flexible Authentication and Secure Tunneling) CISCO vendor-specific authentication provides mutual authentication and dynamic WEP key generation 4. EAP-TLS (Transport Layer Security) offers full authentication consistent with PKI public/private keys, PKI and digital certificates. RFC 2716 PPP EAP TLS Authentication Protocol 5. TTLS (Tunnelled Transport Layer Security) - Some Authentication Options WEP Authenticates node (via MAC address only) EAP-MD5 / PEAP / LEAP (Wireless CHAP) Authenticates user (via encrypted password using challenge/response and key management) EAP-TLS Authenticates node and user (via digital certificates) requires server, but not client certificate 8

9 EAP-TLS Authentication EAP-TLS Exchange 49 EAP-TLS Exchange Source: 50 Security Infrastructure and Options Network Security Layer 3 C Layer 2 B Gatew ay Firew all Application Serv er PEAP Exchange Source: 51 Internet A Wireles Sw itch Client s Router Access Gatew a Point y A Firew all Client Gatew ay Authentication D Firew all & Transport IEEE 802.1x AAA Local AAA MS-CHAP/V2 EAP-MD5 (Wireless CHAP) B PEAP Wireless EAP-TLS (Win XP) Network Security C WEP L2/L3 End to End Kerberos WPA/WPA2 Network Security Vendor Proprietary, eg VPN SSID EAP-TTLS PPTP MAC filter Cisco LEAP/FAST L2TP TKIP/MIC Other IPSec AES Source: Bell (Modified) AAA Remote AAA D SQL D SS7 Server Authentication RADIUS Kerberos Windows Active Directory LDAP Unix 52 SS7/HLR DB HLR VLR 53 Source: M eetinghouse 54 9

10 Typical VPN Implementation VPN Architecture in WLANs WLAN VPN Structure Application SSL/TLS Secure Protocols for Wireless LAN VPN Encryption Application SSL/TLS Transport (TCP, UDP) Router Transport (TCP, UDP) Network (IP) (VPN) Network (IP) IPSec Tunnels Network (IP) Network (IP) (VPN) Firewalls and tunnels configured using: IPSec, IKE, TLS, Digital Certificates b Link WEP 802.1b Physical b Link WEP 802.1b Physical Ethernet Link Ethernet Physical Ethernet Link Ethernet Physical Authentication Principles AAA (Authentication, Authourisation, Accounting) 59 AAA - Authentication, Authourisation, Accounting RADIUS - Remote Authentication Dial-in User Service RADIUS - originally developed to manage dialin access to Internet. Now being used to manage access control for other systems including Wireless LANs ( Diameter) Mobile users require access to resources over both fixed and mobile networks (must be transparent to user) 60 10

11 Authentication Principles Access control authourises who is allowed to enter network and which services can/cannot be accessed Managing a single database of users that contains authentication (user name and credentials), as well as access policy and provisioning information, is an effective way to achieve authentication AAA - Authentication Principles Authentication Validating a User s Identity Authentication protocols operate between user and AAA server: PAP, CHAP, RADIUS, DIAMETER, IEEE 802.1x, EAP Network Access Server (NAS) acts as relay device AAA - Authourisation Principles AAA - Accounting Principles Authourisation What is user allowed to do? Controls access to network services & applications Access policy can be applied on a per user, group, global, or location basis Attributes from an access request can be checked for existence or for specific values Other attributes, eg time-of-day or number of active sessions with same username can also be checked Outcome of policy decisions can be sent back to 63 access device as Access Reply attributes Accounting Collecting Usage Data Data for each session is collected by access device and transmitted to AAA server Usage data may include: User Identities Session Duration Number of Packets, and Number of Bytes Transmitted Accounting data may be used for: Billing Capacity Planning Trend Analysis Security Analysis Auditing 64 AAA Server Architecture AAA can offer Distributed Security Billing & Invoicing Services RADIUS Protocol Services User Developed Plug-in Central AAA Server Policy-Based Management Services User Directory Services Analysing and Reporting Services 65 Distributed Client/Service Model Network Access Servers (NAS) authenticate user through single, central authentication server Network Access Servers are clients of Authentication Server AAA clients are authenticated through a list of trusted servers Authentication Server stores all information about users, their passwords and access privileges Authentication Server can be accessed locally or 66 remotely over WAN connections 11

12 AAA can offer Distributed Security 67 Benefits of Distributed Security Security A central database is more secure than distributing user information over different devices in the LAN/WLAN Scalability A central authentication server allows for growth in number of access servers or clients without major change to the security configuration Centralised Management A flexible way to configure users and customise 68 service Improvements in Wireless Security New Developments Beyond WEP - WPA, i, WPA2, AES, RSN Recent Enhancements to WEP Temporary Key Integrity Protocol (TKIP) incorporated in intermediate standard (WPA) (2003) and in WPA2 (late 2004) 128 bit encryption key + 40 bit Client MAC 48 or 128 bit initialisation vector (IV) Backward compatibility with WEP Still uses RC4 Temporary Key changed every 10,000 packets 71 Recent Developments - TKIP TKIP provides mechanism for WEP key hashing between client and access point, removing predictability of IV Message Integrity Check (MIC) adds key to layer 2 WEP payload to prevent bit-flip or man-in-the-middle attacks Wi-Fi Protected Access (WPA) combines TKIP and MIC (2003) and can be implemented with firmware upgrade only 72 12

13 WPA (WiFi Protected Access) WPA (WiFi Protected Access) WPA (2003) was temporary fix pending release of WPA2 (IEEE i) late 2004 Provides for dynamic key distribution and can be used across multiple vendor s equipment Good for legacy systems because firmware upgrade only required Step en route to IEEE i which has AES rather that RC4 encryption However AES will require more powerful 73 processors (= H/W upgrade) Includes TKIP and 802.1x mechanisms dynamic key encryption + mutual authentication AP can periodically generate unique key for clients TKIP mechanism introduces: extended 48 or 128-bit IVs per packet key construction key derivation functions message integrity codes links to RADIUS Authentication servers using 802.1x with EAP 74 WiFi Networking News: Advanced Encryption Standard (AES) Since TKIP is designed to enhance WEP temporarily, a stronger encryption method - AES will replace the RC4 cipher AES is a block cipher, which makes prediction of the location of specific data within the encrypted stream more difficult Can be used to avoid the integrity check Recent Developments - RSN RSN (Robust Security Network) in process of being standardised (part of i). Includes: AES (128 bit) encryption AES is operated in CCMP mode (Counter mode with CBC-MAC Protocol) (encryption) CCM or CBC-MAC used to compute MIC (Message Integrity Check) value to protect data integrity (authentication). Replaces old CRC-32 checksum used with WEP vulnerabilities Key management using EAP IEEE i & WPA Comparison i WPA 802.1X Basic Service Set (BSS or infrastructure) Independent BSS (IBSS or ad-hoc) No Pre-authentication (moving between APs) No Key Hierarchy Key Management Cipher & Authentication Negotiation TKIP AES-CCMP No 77 Cipher Key Size Key Life Packet Key Data Integrity Header Integrity Key Management WEP, WPA and WPA2 RC4 None None WEP 40 bits 24-bit IV Concatenated CRC-32 RC4 48/128-bit IV Mixing Function MIC MIC EAP-based WPA 128 bits encryption 64 bits authentication WPA2 (802.11i) AES 128 bits 48/128-bit IV Not Needed CCM CCM EAP-based 78 13

14 Conclusions - Good Security Principles Recommendation (1) Wireless LAN related Configuration Enable WEP Drop non-encrypted packets Disable SSID (network name) broadcast Change SSID to something unrelated to network No SNMP access Choose complex admin password Enable firewall functionality Use MAC (hardware) address to restrict access Use MAC filtering to protect against primitive attackers Non-default Access Point password Change default Access Point Name Use 802.1x Conclusions - Good Security Principles Recommendation (2) Deployment Consideration Separate and closed network Treat Wireless LAN as external network VPN and use strong encryption No DHCP (use fixed private IP) Conclusions - Good Security Principles Recommendation (3) Always (wired or wireless) Install virus protection software plus automatic frequent pattern file update Shared folders must impose password Conclusion contd. Match new standards to four main components of a secure network: Mutual authentication EAP-based Cryptographic integrity protection MIC CCM Block cipher payload encryption AES Management Issue Carefully select physical location of AP, not near windows or front doors Prohibit installation of AP without authorisation Discover any new APs constantly (NetStumbler is free, Antenna is cheap) Power off ADSL Modem when Internet access is not Firewalls between wireless / wired required 82 components 14