Table of Contents 1 WLAN Security 1-1

Size: px

Start display at page:

Download "Table of Contents 1 WLAN Security 1-1"

Silas Francis
7 years ago
Views:

1 Table of Contents 1 WLAN Security 1-1 Overview 1-1 Authentication Modes 1-1 WLAN Data Security 1-2 Client Access Authentication 1-3 WLAN Security Policies 1-5 i

2 1 WLAN Security Overview WLAN networks feature ease of deployment, low cost, and good scalability. However, since radio signals are transmitted over the air, attackers can easily eavesdrop and modify radio data. Therefore, security is a primary concern in WLAN deployment. The wireless security capabilities incorporated in are inadequate for protecting networks containing sensitive information. They do a fairly good job for defending against the general public, but there are some good hackers who can crack into wireless networks. Therefore, there is a need to implement advanced security mechanisms beyond the capabilities of H3C WLAN security fully implements IEEE security standards and meets the requirements of WPA. Besides, it can cooperate with port security features to provide more secure wireless access, and more flexible service combinations, thus satisfying various network requirements. Both ACs and fat APs support all security features described in this document. This document describes the WLAN security implementation on ACs. Authentication Modes Open system authentication Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication involves a two-step authentication process. The first step is to request for authentication. The second step is to return the authentication result. Figure 1-1 Open system authentication process Shared key authentication 1-1

3 The following figure shows a shared key authentication process. The two parties have the same shared key configured. 1) The client sends an authentication request to the AP. 2) The AP randomly generates a challenge and sends it to the client. 3) The client uses the shared key to encrypt the challenge and sends it to the AP. 4) The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails. Figure 1-2 Shared key authentication process WLAN Data Security Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN. To secure data transmission, protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data. 1) WEP encryption Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. It uses the RC4 encryption algorithm to secure data and uses the shared key mechanism to implement authentication. Although WEP-104 enhances WEP encryption, it still has weaknesses due to limitations of the RC4 encryption algorithm, the short initialization vector and static key configuration. WEP can work with either open system authentication or shared key authentication. Open-system authentication: When this authentication mode is adopted, a WEP key is used for encryption only. Even if the configured key is not correct, a user can still get online. However, the data sent by the user will be discarded by the receiver due to the incorrect key. Shared-key authentication: When this authentication mode is adopted, a WEP key is used for both authentication and encryption. If the configured key is not correct, a user cannot pass authentication. That is, when WEP encryption is used together with the shared-key authentication mode, WEP can also be used as an authentication method. 2) TKIP encryption 1-2

4 Temporal Key Integrity Protocol (TKIP) is a cipher suite enhancing the WEP protocol on pre-rsna hardware. It has many advantages over WEP. The main disadvantages of WEP include: it uses the same key for all frames though the IV changes, and it does not have a key management system. TKIP solves these problems: First, TKIP provides longer IVs to enhance WEP security. Compared to WEP encryption, the key length in TKIP encryption increases from 40 bits to 128 bits, and the length of IVs increases from 24 bits to 48 bits. Second, TKIP allows for dynamic key negotiation. TKIP replaces static keys with dynamic keys generated by an authentication server. Although TKIP uses the same RC4 algorithm as WEP, its dynamic keys are hard to be attacked. Third, TKIP offers Message Integrity Check (MIC) and countermeasure functions. When the MIC is wrong, the data may be tampered, and the system may be attacked. In this case, countermeasures can be taken to prevent attacks. 3) CCMP encryption CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE MPDU header. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size. CCM requires a fresh temporal key for every session. CCM also requires a unique nonce value for each frame protected by a given temporal key, and CCMP uses a 48-bit packet number (PN) for this purpose. Reuse of a PN with the same temporal key voids all security guarantees. Client Access Authentication 1) PSK authentication To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass authentication. Figure 1-3 PSK authentication 2) MAC authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses. You can configure permitted MAC address lists to filter clients. However, the efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is applicable to environments without high security requirements, for example, SOHO and small offices. MAC authentication falls into two modes: Local MAC authentication: When this authentication mode is adopted, you need to configure a permitted MAC address list on the device. If the MAC address of a client is not in the list, its access request will be denied. 1-3

5 Figure 1-4 Local MAC authentication Permitted MAC address list: bcf-cce f-e200-00a2 Client: bcf-cce3 Client: AC L2 switch AP Client: 001a d3e Remote Authentication Dial-In User Service (RADIUS) based MAC authentication: If the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server. After the client passes the authentication, it can access the WLAN network and the corresponding authorized information. Figure 1-5 RADIUS-based MAC authentication 3) 802.1x authentication As a port-based access control protocol, 802.1X authenticates a client before it can access the WLAN through the associated AP. If the client fails to pass 802.1X authentication, it cannot access WLAN resources. 1-4

6 Figure X authentication process WLAN Security Policies Home and small enterprise networks that accommodate a few wireless users do not require exclusive IT administrators or authentication servers. In these scenarios, you can adopt the WPA-PSK + access point hiding policy to meet security requirements. In scenarios such as hospitals, schools and warehouses, wireless networks need to cover a wide area to provide access for many clients, and thus the WPA-PSK solution is no longer suited. You can adopt 802.1X authentication for these networks, in which, a RADIUS server is responsible for authenticating wireless clients to effectively filter unauthorized users. In public WLANs, large enterprises and financial institutes, some users may need to access the Internet through public hotpots such as airports and café shops, which gives opportunity to unauthorized users to access these networks and thus compromise network security. To prevent this, you can adopt the advanced security solution using the technologies of user isolation, IEEE802.1i, and RADIUS authentication and accounting to ensure network security. Table 1-1 WLAN security policies Security level Scenarios Security Policies Low Homes, small enterprises, and so on WPA-PSK + access point hiding Intermediate High Hospitals, schools, warehouses and so on Public WLANs, large enterprises, financial institutes, and so on IEEE802.1X authentication + TKIP encryption User isolation + IEEE802.11i + RADIUS authentication and accounting (for ISPs) 1-5

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,