Wireless Technology Seminar
Introduction Adam Worthington Network Consultant Adam.Worthington@euroele.com
Wireless LAN Why? Flexible network access for your users? Guest internet access? VoWIP? RFID?
Available Wireless LAN Technologies
802.11b First widely adopted commercially available 802.11 wireless technology Data rates up to 11mbps. Operates in 2.4Ghz waveband 3 non-overlapping channels Good Signal Propagation
802.11g Backward compatible with 802.11b Data rates up to 54Mbps Operates in 2.4Ghz waveband 3 non-overlapping channels Good signal propagation
802.11a Least adopted of the three standards in the UK Data rates up to 54Mbps Operates in the cleaner 5Ghz waveband 8 non-overlapping channels Worst signal propagation
802.11: Emerging Standards 802.11e - Enhancements: QoS, including packet bursting 802.11i - Enhanced security (WPA2)
WLAN Solution: What Should It Provide A Wireless LAN Solution Should: Authenticate devices/users Encrypt data Ensure data integrity Allow guest access Plan and manage RF coverage Detect ad hoc or rogue users Identify rogue APs Protect against and locate the source of DoS and manin-the-middle attacks
Different Wireless Solution Types Standalone (FAT) AP Appliance/VPN Solution Wireless LAN Switch/Controller
Standalone AP Cisco, 3com, Proxim Good, Flexible Feature Set Highest Management Overhead Worst physical security Requires additional management software/appliance for network RF awareness
Appliance/VPN Solution Vernier/HP, Cisco Central security management Excellent IP layer security Good physical security Limited support for Broadcast/Multicast/non- IP No concept of RF. Channel, power and layer 2 security must be managed on AP, possibly assisted by external management software.
Wireless LAN Switch/Controller Solution Cisco, Trapeze/3com, Aruba Central security and RF management Excellent wireless security Good physical security Best RF control e.g. dynamic power and channel allocation Support for advanced wireless technologies e.g. RFID
WLAN Security: Levels of protection Authentication Data Origin Protection Data Integrity Protection Confidentiality
802.11i: Security For The Air IEEE 802.11i (WPA2) defines a new type of wireless network called a robust security network (RSN). Strong authentication: 802.1x Strong encryption: TKIP and AES
802.1x Authentication Supplicant Authenticator Authentication Server
802.1x and EAP Originally defined for use with PPP Truly Extensible, does not force users into certain types of authentication.
802.1x: Initial Connection Client AP Client scans the air looking for a network Client joins one of the networks and performs open-system Authentication Client sends association request Access Point sends client association ID Start 802.1x authentication (EAP over LAN, Start) Access Point queries who are you?
EAP: Which Type? EAP-TLS PEAP/MS-CHAPv2 EAP-TTLS
Client PEAP Stage 1: TLS Handshake AP RADIUS Server Hi I m Adam, here s my Network Access Identity (NAI, includes my username, my random number and a list of cryptographic algorithms I support). AP forwards Radius Access Request with NAI Got it. I ll decrypt the pre-master secret with my private key. I ll derive the keying material. It s the same as your keying material. Now we can bidirectionally encrypt and integrity check the session. Okay, here s my random number. I ve looked at your list and we ll use 128- bit RC4 encryption and MD5 message integrity checking. I ll also send you my certificate. Okay, I ve checked your certificate and you re authenticated. Now I ll generate and send you the premaster secret encrypted with your public key. With this we can each derive keying material to be used to encrypt this TLS session.
Client PEAP Stage 2: MS-CHAPv2 Authentication AP RADIUS Server Who are you? I ve told you once I m Adam. Okay, I ll use my password and a hash function to create a response to your challenge. I ve also got a challenge for you. Okay, I m RADIUS1. We ll use MS- CHAPv2 for authentication, here s a challenge for you. I m happy with your response to my challenge, here s a response to your challenge. I m happy with your response to my challenge, AP, let s talk. RADIUS server sends the access point a RADIUS accept message including any configured authorisation attributes (VLAN ID etc.) Authentication complete
Encryption 802.11i (also known as WPA2) using counter-mode/cbc-mac protocol (CCMP) Wi-Fi Protected Access (WPA) using TKIP Dynamic WEP Dynamic WEP with Broadcast/Multicast Key Rotation
Pre 802.11i Roaming Hand off Discovery phase Association (or re-association) with second AP requires full EAP exchange Total time to associate hundreds of milliseconds
802.11i Fast Handoff Hand off Discovery phase Association (or re-association) PMK Cached, straight to four-way handshake Total time to associate tens of milliseconds
Rogue Users and AP s Types of rogue Employee installed unsanctioned AP Employee AD-HOC network Unauthorised intruder or hacker Bug-light AP
Employee Installed Unsanctioned AP Unsanctioned AP Corporate Network Wireless Client
Employee AD-HOC network Corporate Network
Unauthorised Intruder or Hacker They don t all use Pringles cans!
Bug-Light AP Rogue PEAP With Network Stage 12 Access Rogue AP Legitimate AP Legitimate Client RADIUS Server
Rogue Detection and Location Manual detection: IT Manager with Airmagnet, AiroPeek, Sniffer Wireless etc. Wireless IDS: AirDefense etc. Solution integrated with wireless LAN: Cisco, Trapeze etc.
To Catch a Rogue Detection Location Action
How These Concepts May Apply to Your WLAN Guest internet access provided by FroDo Web-AUTH solution Unit LAN access managed locally and secured by WPA2
Bridging Access Point Sample Topology Bridging Access Point PC PC PC Switch Supporting Multiple VLANs Wireless Switch FroDo University backbone network Main Unit VLAN FroDo Guest Wireless VLAN VLAN Trunk Carrying All VLANs Wireless Hardware VLAN
Conclusion Security is key Many options, choose the one that fits best.