WLAN Security: Configuring WLAN Security Options

Transcription

1 WLAN Security: Configuring WLAN Security Options 2010 Cisco Systems, Inc. All rights reserved. CUWN v Lesson Overview & Objectives Overview This lesson discusses the considerations and options for configuring security options appropriate for a various Cisco Unified Wireless Network deployments. Objectives Upon completing this lesson, you will be able to configure various security options for a WLAN solution that are appropriate for a specific deployment. This ability includes being able to meet these objectives: Identify considerations for weak security policies Describe Open Authentication and its issues List the benefits and downfalls of SSID Hiding Explain the purpose and configuration of Pre-Shared Key Authentication for Static WEP Describe Web Authentication 2010 Cisco Systems, Inc. All rights reserved. CUWN v

2 Weak Security Policies Open authentication (none) SSID Hiding Pre-shared key authentication (static WEP) Web Authentication 2010 Cisco Systems, Inc. All rights reserved. CUWN v Open Authentication No Security WLAN protocol defined in the specification. IEEE compliant WLAN client will use open authentication by default. Operates at Layers 1 and 2 and does not offer end-to-end security. Implied method of association since user authentication should be applied to provide security. WEP keys do not play a part in authentication. Authentication Request Authentication Association Request Association Data 2010 Cisco Systems, Inc. All rights reserved. CUWN v

3 Issues with Open Authentication No encryption, per-packet authentication or message integrity check. Does not protect against interception, hijacking, or packet modification. Client can authenticate based solely on having the right SSID. MAC filtering may be applied but this is still minimal security Cisco Systems, Inc. All rights reserved. CUWN v SSID Hiding SSID not included in AP beacons. Client must know the SSID cannot find it in the list of wireless networks. Wireless sniffers can pick up other packets from clients already on the WLAN; or can cause a client to de-associate and re-associate; and can determine the SSID from those packets Cisco Systems, Inc. All rights reserved. CUWN v

4 Pre-Shared Key Authentication Static WEP WLAN security protocol defined in the specification. Operates at Layers 1 and 2 and does not offer end-to-end security. Uses key plus Initialization Vector (IV). IV is a random number generated through the WEP algorithm. Only the key is used in encryption of the data. Three user-specified key lengths. 40-bit key. Combined with IV to yield 64 bits. 104-bit key. Combined with IV to yield 128 bits. 128-bit key. Combined with IV to yield 152 bits. Cisco wireless supports pre-shared key authentication. 40-bit or 104-bit keys supported. Disabled by default Cisco Systems, Inc. All rights reserved. CUWN v Pre-Shared Key Authentication Static WEP (Cont.) Same steps as open authentication with following additions: Requires a WEP key to be placed on the client and AP. Challenge phrase is sent in the clear from AP to client. Client uses WEP key to encrypt the challenge phrase and returns to AP. Authentication Request Challenge Phrase Encrypted Response Authentication Association Request Association Data 2010 Cisco Systems, Inc. All rights reserved. CUWN v

5 Pre-Shared Key Authentication Static WEP Issues No per-packet authentication or message integrity check. Hackers can easily obtain challenge phrase and encrypted response, and then: Crack the WEP key. Correctly decrypt captured data traffic. Weak encryption of data. Repeating IV can provide insight into cracking WEP key. Each client and AP must be configured with matching WEP key. Managing keys can be difficult in an enterprise WLAN. Less secure than using open Layer 2 association and then applying user authentication with dynamic encryption method Cisco Systems, Inc. All rights reserved. CUWN v Configuring Static WEP 1. From the WLAN configuration screen, click Security > Layer 2 tabs. 2. From the drop-down box, select Static WEP. The screen will refresh and show the new options. 3. In the WEP Parameters options, select the key size, the key index, and the key format. 4. Type the desired WEP key into the Encryption Key textbox Cisco Systems, Inc. All rights reserved. CUWN v

6 Web Authentication Allows users to authenticate through a web browser interface. Clients who attempt to access the WLAN using HTTP are automatically directed to a login page. Login page is customizable for logos and text. Maximum number of Local Web Authentication Users is Generally used for guest access. The Web Authentication page on the controller is customizable; or the user can be directed to another URL for a customized page Cisco Systems, Inc. All rights reserved. CUWN v Web Authentication Process Open Authentication Association DHCP Request Supplicant or Client DHCP Reply DNS Request DNS Redirect TLS Hello TLS Certificate TLS Negotiation Done Credential Request Credential Response DNS Response Data DNS Response Local or RADIUS AAA DHCP / DNS / RADIUS Server The controller uses the virtual interface address for communication to the client Cisco Systems, Inc. All rights reserved. CUWN v

7 2010 Cisco Systems, Inc. All rights reserved. CUWN v Web Authentication Issues No encryption, per-packet authentication, or message integrity check Should use some other security mechanism after authentication Does not protect against interception, hijacking, or packet modification Supported only with these Layer 2 security policies: open authentication open authentication+wep WPA-PSK Not supported for use with 802.1X 2010 Cisco Systems, Inc. All rights reserved. CUWN v

8 Configuring Web Authentication 1. From the WLAN configuration screen, click on the Security > Layer 3 tabs. 2. At the Web Policy checkbox, ensure that Authentication is selected Cisco Systems, Inc. All rights reserved. CUWN v Cisco Systems, Inc. All rights reserved. CUWN v

9 Web Authentication Page Configuration Go to Security > Web Auth > Web Login Page to configure and customize the login page for Web Authentication. Standard HTML tags can be used to customize the headline and message Cisco Systems, Inc. All rights reserved. CUWN v Web Authentication Page Configuration (Cont.) Default Login Page Customized Login Page (based on the previous slide s configurations and a custom logo uploaded to the controller) 2010 Cisco Systems, Inc. All rights reserved. CUWN v

10 Web Authentication Certificate The Controller can present a third-party certificate by downloading an SSL certificate, but the default is a self-signed certificate. For HTTPS web authentication sessions Cisco Systems, Inc. All rights reserved. CUWN v External Web Authentication Redirecting to an External Server 1. In the Web Authentication Type drop-down box, select External (Redirect to external server). 2. In the External Web Auth URL text box, type the URL to the external server authentication page. 3. In the Web Server IP Address text box, type the IP address of the external web server Cisco Systems, Inc. All rights reserved. CUWN v

11 External Web Authentication Creating a Pre-authentication ACL A pre-authentication ACL needs to be configured to allow the WLAN client to have access to the remote server for authentication. 1. Go to Security > Access Control Lists and create a new ACL. 2. Give the new ACL a name and click Apply Cisco Systems, Inc. All rights reserved. CUWN v External Web Authentication Creating a Pre-Authentication ACL Rule 1. After the new ACL has been created, select the new ACL. 2. Click Add New Rule. 3. Create a rule that allows HTTP access to the IP address of the remote web server Cisco Systems, Inc. All rights reserved. CUWN v

12 External Web Authentication Applying a Pre-Authentication ACL to a WLAN 1. In WLAN configuration mode, choose Security > Layer 3 tabs. 2. In the drop-down box for Preauthentication ACL, select the new ACL Cisco Systems, Inc. All rights reserved. CUWN v Assigning Web Authentication Type per WLAN A different Web Authentication type can be specified for each WLAN Cisco Systems, Inc. All rights reserved. CUWN v

13 Lesson Summary Weak security policies in a Cisco Unified Wireless Network environment allow easy access with minimal client-side configuration. Key security issues need to be considered before configuring Open Authentication. SSID Hiding has both benefits and downfalls for clients. WEP uses a pre-shared key to encrypt traffic to and from the client. Web Authentication is a method of verifying users through a web browser interface Cisco Systems, Inc. All rights reserved. CUWN v Cisco 2010 Cisco Systems, Inc. All rights reserved. CUWN v