Security. Olga Torstensson Halmstad University. 2003, Cisco Systems, Inc. All rights reserved. FWL

Similar documents
Configure WorkGroup Bridge on the WAP131 Access Point

Cipher Suites and WEP

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

The next generation of knowledge and expertise Wireless Security Basics

Configuring Security Solutions

ALL Mbits Powerline WLAN N Access Point. User s Manual

Cisco Aironet Wireless Bridges FAQ

Configuration of Cisco Autonomous Access Point with 802.1x Authentication for Avaya 3631 Wireless Telephone

Wireless security. Any station within range of the RF receives data Two security mechanism

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Optimizing Converged Cisco Networks (ONT)

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

The Importance of Wireless Security

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Authentication in WLAN

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Developing Network Security Strategies

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

Topics in Network Security

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Chapter 1 Network Security

Eduroam wireless network Windows Vista

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Cisco HWIC-AP WLAN Module for Cisco 1800 (Modular), Cisco 2800 and Cisco 3800 Series Integrated Services Routers

Chapter 2 Wireless Networking Basics

Abstract. Avaya Solution & Interoperability Test Lab

How To Secure Wireless Networks

Understanding Wireless Security on Your Polycom SpectraLink 8400 Series Wireless Phones

Best Practices for Outdoor Wireless Security

Apple AirPort Networks

Cisco 500 Series Secure Router Models

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Question How do I access the router s web-based setup page? Answer

Design and Implementation Guide. Apple iphone Compatibility

Huawei WLAN Authentication and Encryption

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

DESIGNING AND DEPLOYING SECURE WIRELESS LANS. Karl McDermott Cisco Systems Ireland

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

Security. TestOut Modules

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003

Product Specifications

Wireless Security for Mobile Computers

Security Backbone Configuration

Wi-Fi Client Device Security and Compliance with PCI DSS

Securing end devices

Certified Wireless Security Professional (CWSP) Course Overview

CS549: Cryptography and Network Security

Security. AAA Identity Management. Premdeep Banga, CCIE # Cisco Press. Vivek Santuka, CCIE # Brandon J. Carroll, CCIE #23837

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Vocera Infrastructure Planning Summary. B3000n Compatible

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with RangeBooster. User Guide WIRELESS WMP54GR. Model No.

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

1.1.1 Security The integrated model will provide the following capabilities:

HP E-M110 Access Point Series. Product overview. Key features. Data sheet

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Network User s Guide

Wireless-G Business PCI Adapter with RangeBooster

Network User s Guide

WIRELESS NETWORK SECURITY

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

CS 356 Lecture 29 Wireless Security. Spring 2013

Access Point Configuration

Cisco Virtual Office Express

Wi-Fi Client Device Security & HIPAA Compliance

CISCO WIRELESS SECURITY SUITE

Securing your Linksys WRT54G

Wireless Technology Seminar

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Computer Networks. Secure Systems

Particularities of security design for wireless networks in small and medium business (SMB)

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

LevelOne WAP User s Manual. 108 Mbps Wireless Access Point

Vocera WLAN Requirements and Best Practices. B3000n Compatible

Cisco Networking Professional-6Months Project Based Training

Network User s Guide

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Network Access Security. Lesson 10

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

EAP300. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

Implementing Security for Wireless Networks

WLAN Information Security Best Practice Document

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

Network Security. Network Packet Analysis

Security in IEEE WLANs

Eduroam wireless network Apple Mac OSX 10.5

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Network Security Best Practices

9 Simple steps to secure your Wi-Fi Network.

Recommendation for Wireless Network Security At the University of Michigan

Transcription:

Security Olga Torstensson Halmstad University 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-1 Key terms WEP TKIP MIC EAP 802.1X WPA CCKM RADIUS SSH Encryption RSA RC4 (WEP) DES, 3DES, AES Cipher BKR 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-2

Advanced Security Terms WEP Wired Equivalent Privacy EAP Extensible Authentication Protocol TKIP Temporal Key Integrity Protocol CKIP Cisco Key Integrity Protocol CMIC Cisco Message Integrity Check Broadcast Key Rotation Group Key Update WPA Wi-Fi Protected Access (WPA) 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-3 Security Fundamentals Balancing Security and Access 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-4

Vulnerabilities Technology TCP/IP WEP and Broadcast SSID Association Process Wireless Interference Configuration Default passwords Unneeded Services enabled Few or no filters Poor device maintenance Policy Weak Security Policy No Security Policy Poorly enforced Policy Physical Access Poor or no monitoring 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-5 Threats Internal External Structured Unstructured 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-6

The Security Attack Recon and Access 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-7 The Security Attacks DoS 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-8

WLAN Security Wheel Always have a good WLAN Security Policy in place. Secure the network based on the policy 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-9 WLAN Security Considerations Authentication only authorized users and devices should be allowed. Encryption traffic should be protected from unauthorized access. Administration Security only authorized users should be able to access and configure the AP configuration interfaces. 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-10

Common Protocols which use Encryption When using a public network such as a WLAN, FTP, HTTP, POP3, and SMTP are insecure and should be avoided whenever possible. Utilize protocols with encryption. Traffic No Encryption Encryption Web Browsing HTTP HTTPS * File Transfer Email Remote Mgmt TFTP or FTP SCP POP3 or SMTP SPOP3 * Telnet SSH * SSL/TLS 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-11 WLAN Security Hierarchy Open Access No Encryption, Basic Authentication Basic Security 40-bit or 128-bit Static WEP Encryption Enhanced Security 802.1x, TKIP/WPA Encryption, Mutual Authentication, Scalable Key Mgmt., etc. Public Hotspots Home Use Business Remote Access Virtual Private Network (VPN) Business Traveler, Telecommuter 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-12

Basic WLAN Security Admin Authentication on AP To prevent unauthorized access to the AP configuration interfaces: Configure a secret password for the privileged mode access. (good) Configure local usernames/passwords. (better) Configure AP to utilize a security server for user access. (best) 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-13 User Manager 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-14

Admin Access CLI View 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-15 Console Password 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-16

SSID Manager 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-17 SSID Manager (cont) 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-18

Global SSID Properties 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-19 SSID CLI View 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-20

WEP WEP is a key. WEP scrambles communications between AP and client. AP and client must use same WEP keys. WEP keys encrypt unicast and multicast. WEP is easily attacked 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-21 Supported Devices What can be a client? Client Non-Root bridge Repeater access point Workgroup Bridge Authenticator? Root access point Root bridge? 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-22

Enabling LEAP on the Client 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-23 Configuring LEAP on the Client 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-24

WEP Encryption Keys 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-25 Enterprise WLAN Authentication Authentication Types Open Authentication to the Access Point Shared Key Authentication to the Access Point EAP Authentication to the Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using CCKM for Authenticated Clients Using WPA Key Management 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-26

WLAN Security: 802.1X Authentication Mutual Authentication EAP-TLS EAP-Transport Layer Security Mutual Authentication implementation Used in WPA interoperability testing Radius Server LEAP Lightweight EAP Nearly all major OS s supported: WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS PEAP Protected EAP Uses certificates or One Time Passwords (OTP) Supported by Cisco, Microsoft, & RSA GTC (Cisco) & MSCHAPv2 (Microsoft) versions AP Client 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-27 EAP Extensible Authentication Protocol (802.1x authentication) Provides dynamic WEP keys to user devices. Dynamic is more secure, since it changes. Harder for intruders to hack by the time they have performed the calculation to learn the key, they key has changed! 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-28

Basic RADIUS Topology RADIUS can be implemented: Locally on an IOS AP Up to 50 users On a ACS Server 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-29 Local Radius Server 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-30

Local Radius Server Statistics 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-31 Radius Server User Groups 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-32

ACS Server Options Cisco Secure ACS Software Cisco ACS Solution Engine 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-33 Backup Security Server Manager 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-34

Global Server Properties 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-35 Enterprise Encryption WPA Interoperable, Enterprise-Class Security 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-36

Cipher Suite Cipher suites are sets of encryption and integrity algorithms. Suites provide protection of WEP and allow use of authenticated key management. Suites with TKIP provide best security. Must use a cipher suite to enable: WPA Wi-Fi Protected Access CCKM Cisco Centralized Key Management 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-37 Configuring the Suite Create WEP keys Enable Cipher Suite and WEP Configure Broadcast Key Rotation Follow the Rules 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-38

WEP Key Restrictions Security Configuration WEP Restriction CCKM or WPA key mgt. No WEP in slot 1 LEAP or EAP No WEP in slot 4 40-bit WEP No 128-bit key 128-bit WEP No 40-bit key TKIP No WEP keys TKIP and 40 or 128 WEP No WEP in slot 1 and 4 Static WEP w/mic or CMIC Broadcast key rotation WEP and slots must match on AP & client Keys in slots 2 & 3 overwritten 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-39 Security Levels 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-40

Enterprise WLAN Security Evolution TKIP/WPA Successor to WEP Cisco s pre-standard TKIP has been shipping since Dec. 01 Cisco introduced TKIP into 802.11i committee 802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA) WPA software upgrade now available for AP1100 & AP1200 AES The Gold Standard of encryption AES is part of 802.11i standard - AES will be part of WPA2 standard (expected in 2004) 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-41 Encryption Modes 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-42

Encryption Global Properties 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-43 Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-44

Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-45 Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-46

Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-47 Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-48

Matching Client to AP 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-49 Advanced Security: MAC Authentication 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-50

Adv. Security: EAP Authentication 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-51 Adv. Security: Timers 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-52

VLANs Configuring your access point to support VLANs is a three-step process: Assign SSIDs to VLANs. Assign authentication settings to SSIDs. Enable the VLAN on the radio and Ethernet ports. 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-53 Using VLANs for Security 802.1Q wired network w/ VLANs AP Channel: 6 SSID data = VLAN 1 SSID voice = VLAN 2 SSID visitor = VLAN 3 SSID: data Security: PEAP + AES SSID: voice Security: LEAP + WPA SSID: visitor Security: None 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0 8-54

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information