Enrollment System THE AGING OF PEAP/MSCHAPV2: UNDERSTANDING THE DRIVERS OF OBSOLESCENCE

Transcription

1 Enrollment System THE AGING OF PEAP/MSCHAPV2: UNDERSTANDING THE DRIVERS OF OBSOLESCENCE (01) Cloudpath Networks

2 XPRESSCONNECT ENROLLMENT SYSTEM THE AGING OF PEAP/MSCHAPV2 January 27, 2014 Copyright 2014 Cloudpath Networks, Inc. All rights reserved. Cloudpath Networks and XpressConnect are trademarks of Cloudpath Networks, Inc. Other names may be trademarks of their respective owners.

3 INTRODUCTION Over the past months, a debate has been raging in the Wi-Fi Security Community regarding the shortcomings of the most prevalent of the Extensible Authentication Protocol (EAP) methods. The Protected Extensible Authentication Protocol (PEAP) and similarly, Tunneled Transport Layer Security (TTLS) have come under fire as being increasingly susceptible to Evil Twin or Man-In-The-Middle attacks that are aimed toward the acquisition of enterprise user credentials. Once acquired, these credentials may be used in a more concentrated and destructive attack on an organization's IT assets and infrastructure. Further, a commonly accepted notion that is perpetuated asserts that the most secure of the EAP methods, Transport Layer Security (non-tunneled), or EAP-TLS, is difficult and expensive to implement and maintain and makes for an altogether unpleasant user experience. ABSTRACT PEAP was developed to address the problem of encrypting EAP communications over wireless communications. The original EAP framework within the 802.1X specification did not consider that such communication would occur outside the physical security of a wire, and hence assumed a secure communication channel. Under PEAP, server-side PKI and public key certificates are used to establish an encrypted tunnel between the requesting device and a RADIUS server. User credentials are then passed through the tunnel, most commonly using a less secure EAP method known as MS-CHAPv2. Finally, the user credentials are typically authenticated against a directory server such as Active Directory or some other Lightweight Directory Access Protocol (LDAP) server. In contrast, EAP-TLS implementations require a client-side X.509 certificate to be present in addition to the server-side to authenticate a device to the network. It is this mutual certificate authentication requirement, without the use of enterprise user credentials, that makes EAP-TLS one of the most secure EAP methods in use today. However, the requirement of a PKI infrastructure and the lack of a reliable and automated mechanism to provision the client-side certificates to a wide range of devices have traditionally made EAP- TLS a much more difficult proposition to support on any kind of grand scale. This document examines the demonstrated threats associated with PEAP/TTLS, considers the real-world implications surrounding these issues, then proposes an EAP-TLS alternative that eliminates those risks while providing a simple and seamless user experience. PEAP AND THE BIG IF PEAP works IF everything is configured properly. If properly implemented at each layer and never messed with, PEAP is can be reliable, particularly on highly managed devices. The problem is that, in the real world, a proper implementation is very difficult to achieve in a corporate enterprise setting and nearly impossible to achieve in a BYOD environment. Cloudpath Networks Introduction 1

4 THE STARS MUST ALIGN Even if a proper baseline PEAP configuration is achieved, there are several challenges to ensuring the configuration remains secure. By its very nature, PEAP is fragile and requires a lot of care and feeding to provide the requisite level of security. Further, enterprise username and password credentials are put at risk not only in transit, but they are also maintained at rest on the device, exposing them in the event of device theft or compromise. The following must always be true for a solid PEAP implementation, and each carries with it associated pitfalls. Each device must be configured properly the same way, every time. Five different techs may set up the device five different ways. Requires highly disciplined technicians to set up each device. May require expensive MDM solution to promote a repeatable proper configuration. Untenable in a large organization and those with BYOD/Guest Support use cases. All users, even BYOD and Guests, must be registered in a directory server. User credentials must be managed manually for level of access and duration. User passwords must be complex. Requires strict user discipline and password rules enforcement. Users must properly validate the server-side certificate. Puts the onus on the user to recognize an evil twin or man-in-the-middle. There is no mechanism for the authentication server to guarantee the client has properly validated the server certificate for non-domain devices. A user-provisioned device can easily be misconfigured or ignore the server validation entirely, yet still establish a tunnel and pass credentials. This issue makes PEAP inherently unsuitable for BYOD/Guest uses. Even when things work perfectly, passwords remain resident on the device. Management of usernames and passwords on devices becomes confusing to users when the enterprise forces them to change their credential password on the network, resulting in a higher number of helpdesk calls. Cloudpath Networks The Stars Must Align 2

5 TRADITIONAL CHALLENGES IN EAP-TLS A common perception in the wireless networking community is that while EAP-TLS is more secure by far, it is expensive to implement and manage and difficult to maintain. Therefore, many organizations end up sacrificing security for user experience and supportability, ultimately assuming the risk that accompanies the less secure methods such as PEAP or TTLS. The most common reasons for not leveraging an EAP-TLS implementation are as follows: EAP-TLS requires a PKI infrastructure, and PKI is expensive to acquire and maintain. Trusted Third Party (External CA) is not worth the cost and is a pain to manage for BYOD/Guests. Internal CA is not worth the cost and effort just for wireless. Each device requires its own client certificate, therefore How do you support the wide selection of devices on the market? How do you provision them all? How do you control helpdesk costs associated with device provisioning and management? Managing policy is too hard, and all devices end up being treated the same. No easy-to-manage and reliable way to discern corporate users from Guest/BYOD users and to apply varying levels of trust. SOLUTION: XPRESSCONNECT ENROLLMENT SYSTEM (ES) XpressConnect ES brings standards-based security to diverse and unmanaged environments in a manner that is scalable and sustainable. By using XpressConnect ES, you can support WPA2-Enterprise using EAP-TLS, ensuring that users are effortlessly provisioned and connected to the secure network across a wide range of laptops, phones, and tablets. What s more, XpressConnect ES makes it simple to apply different levels of trust to different classes of devices, whether they are Corporate-owned, BYOD, or Guest/Partnerowned. XpressConnect ES combines the low cost and ubiguity of the native 802.1X supplicants with the manageability and ease-of-use traditionally associated with expensive third-party supplicants. In situations where the native supplicant doesn t fit your needs exactly, XpressConnect ES has the ability to augment it to provide the features you need, all in a minimally invasive manner. Cloudpath Networks Traditional Challenges in EAP-TLS 3

6 SECURE, AS SIMPLE AS INSECURE. XpressConnect ES leverages the innate capabilities of your existing infrastructure in a centralized, complete, and easy-to-deploy package. By using XpressConnect ES, you ensure that each device is automatically configured in the same secure manner every time, using the most secure EAP method for WPA2-Enterprise deployments. INCREASED SECURITY FOR ALL USERS XpressConnect ES has the unique ability to configure wireless profiles, 802.1X supplicant information, and other security-related settings on the fly from a browser for most Windows, Mac, Ubuntu, and Fedora computers and the ever expanding list of handheld devices, including iphone, ipad, ipod Touch, and Android phones and tablets. XpressConnect ES can easily support a transition from PEAP to the EAP-TLS method with no disruption to your user base. XpressConnect ES using EAP-TLS reduces the number of helpdesk calls when enterprise credential passwords change. XpressConnect ES using EAP-TLS eliminates enterprise credentials from being resident on the device, reducing exposure in the event of device theft or compromise. SIMPLE TO CONFIGURE XpressConnect ES comes packaged with all of the components you need to fully support PKI and RADIUS for a complete EAP-TLS deployment. Easy-to-construct workflow to support your organization s unique use cases. Takes the guesswork out of identifying and classifying users and devices. Each type and class of device is provisioned properly, every time. SIMPLE TO USE XpressConnect ES automates the association and authentication process, ensuring users are connected painlessly. With XpressConnect ES, increased security no longer translates into end user frustration and IT support overhead. Cloudpath Networks Secure, as simple as insecure. 4

7 CONCLUSION With the revelation and exploitation of its shortcomings over the past 18 months, it is clear that PEAP is transitioning from relevance to obsolescence. In the same way WEP (Wired Equivalent Privacy) was once considered secure and then compromised, exploited, and rendered obsolete, PEAP/MSCHAPv2 and TTLS/PAP have reached the end of their useful life. Time marches on, and soon, a network utilizing PEAP or TTLS will be considered insecure. This path is inevitable as the PEAP and TTLS exploits become more well-known, refined, and targeted. Fortunately, organizations no longer have to make the difficult choice between sacrificing security for the sake of supporting a wide range of wireless devices or providing a pleasant user experience. XpressConnect ES by Cloudpath brings standards-based EAP-TLS security to even some of the most challenging environments while delivering the wide ranging device support and the ease-of-use quality that has been lacking in legacy EAP-TLS implementations. ABOUT CLOUDPATH NETWORKS, INC. Cloudpath Networks, Inc. provides software solutions and services that simplify the adoption of standards-based security, including WPA2-Enterprise, 802.1X and X.509, in diverse BYOD environments. Cloudpath was the originator of the secure, automated onboarding model for personal and unmanaged devices, and our XpressConnect Enrollment System won the Best of Interop - Wireless & Mobility award. From educational institutions, to enterprise, to service providers, to government agencies, Cloudpath services have been deployed worldwide for more than 15 million devices a year. CONTACT INFORMATION Web: General Inquiries: [email protected] Support: [email protected] Sales: [email protected] Media: [email protected] Marketing: [email protected] Phone: (US) (US) +44 (01) (UK) Fax: Cloudpath Networks Conclusion 5