Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security In an Education Environment

Similar presentations

Presentation on theme: "Wireless Security In an Education Environment"— Presentation transcript:

1 Wireless Security In an Education Environment
Stan Brooks CWNA, CWSP Emory University Network Communications Division AIM-Y!-MSN: WLANstan Copyright Stan Brooks This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Outline What this presentation will not cover Wireless Security
Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing At Wi-Fi Hotspots and at Home

3 Why Do We Need Security on WLANs?
Internet Internal Network Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle (MitM) Attacks Last 100 feet is the worst of all Much less secure than even wired Internet access There is good news – Wireless CAN be more secure than the wired network (if implemented properly) “Real” Access Point Rogue Access Point X “Real” Wireless User Unauthorized Access Unauthorized Access AP Impersonation Sniff the Air (Eavesdrop) Evil Twin/MitM Access Point

4 Wireless Security – What do we Protect?
Network There 3 areas that need protection: Protect data as it travels from source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS) Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.) Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares Access Point Wireless User

5 Security Security is a PROCESS Apply Security in Layers
There is NO single security silver bullet Different data require different levels of security A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records Different users need different levels of access Student vs. Faculty vs. Guest Users A Business Risk Assessment helps to define requirements

6 Security Policy Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a previous slide Role-based Access Control All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest All data are NOT created equal Term papers vs. grade reports vs. medical records Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OS’s Access methods Type of Hardware and what type of support Computers, PDAs, Phones, Game Consoles, etc. Supported NICs (drivers, too) Supported OS’s Minimum Service Packs & patches Network Protocol & Access Method Support

7 AAA (or AAAA) Originated with dial-up Internet and VPN access
RADIUS = Remote Dial-In User Service Authentication (Username/Password) Who are you? Authorization (Are you a valid user/subscriber) Are you allowed to log on the network? Access Control (Added for RBAC & Wireless) Where can you go once you are on the network? (Accounting) – Originally the 3rd “A” Logs Billing Tracking usage For when the RIAA or MPAA comes around

8 Authentication in a Wireless Environment
Types of Wireless Security Models Open System Shared Key for Encryption & Authentication Static Key (WEP, WPA / WPA2-PSK) Dynamic Key (Dynamic WEP, WPA / WPA2-Enterprise) Authentication Models VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access Captive Portal, Walled Garden, Other

9 Wi-Fi Security Evolution
Authentication SSID Captive Portal 802.1x 802.11i Uses EAP (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.). Requires a RADIUS Server. Dynamic WEP is fairly secure, TKIP is much better, addressing all known issues w/WEP Requires a Webserver and may compromise username/pw. Data encryption at the expense of authentication and may requires client software (also called WPA2) Combines 802.1x Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption Easily hacked by children, no real security, just a no-trespassing sign Dynamic WEP TKIP Encryption WEP VPN AES

10 WEP / WPA / WPA2 Basics WEP WPA-Personal WPA-Enterprise WPA2-Personal
Encryption RC4 w/WEP 24-bit IV 40/104-bit Key RC4 w/TKIP 48-bit IV 128-bit Key AES-CCMP 48bit-IV 128bit Key Integrity CRC Michael 64-bit Key CBC-MAC Authentication Optional Shared Key PSK – Pre-Shared Key 802.1x Various EAP-Types Various EAP-Types Ad-Hoc Support Yes No Standard Part of b 1999 Snapshot of i As of 10/2002 Specified in i Ratified 06/2004

11 WPA / WPA2 Enterprise (8021.x) Elements
Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller) Passes authentication transaction between the Supplicant and the Authentication Server Network Authenticator (Access Point) Authentication Server (RADIUS) Supplicant (Client)

12 WPA / WPA2-Enterprise EAP-Types
Source Client Server Auth Client Auth Vulnerability Level Vulnerability Examples EAP-MD5 Open – NOT Wi-Fi Certified Aegis, Odyssey Shared Key Challenge - NO KEY DERIVATION None Extremely High Offline Dictionary Attacks LEAP Cisco Proprietary, NOT Wi-Fi Certified Cisco (CCX), Aegis, Odyssey Password Hash High ASLEAP – Identity Exposure & Offline Dictionary PW Attacks EAP-FAST Odyssey PAC (Shared Key) MSCHAPv2 Medium PAC Exposure TLS Open, Wi-Fi Certified Certificate (PKI) Low Lost or Stolen Devices TTLS (PAP, CHAP, MSCHAPv2, or GTC) Aegis, Odyssey, T-Mobile Conn Mgr (PCTEL) Certificate PAP, CHAP, MSCHAPv2, GTC Possible Identity Exposure, MitM Risks PEAPv0 (TLS or MSCHAPv2) Microsoft – Wi-Fi Certified Microsoft WZC, Apple, Aegis, Odyssey EAP-TLS (SmartCard), MSCHAPv2 PEAPv1 (EAP-GTC) Cisco – Wi-Fi Certified Cisco, Aegis, Odyssey EAP-GTC (Generic Token Card) EAP-SIM GSM Wireless Carriers – Wi-Fi Certified SmartCard GSM/GPRS Attacks Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks

13 Choosing the Right EAP-type
What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level? What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights

14 Wireless Clients PCs MACs Linux PDAs Wi-Fi & Dual Mode Phones
Microsoft Windows XP WZC Wireless chip manufacturers’ clients Atheros Intel Broadcom Prism Open Source SecureW2 wEAP Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients Microsoft PPTP, IPSec Checkpoint Others MACs Linux wpa_supplicant Xsupplicant PDAs Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis Wi-Fi & Dual Mode Phones Other Devices Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit

15 Implementing a Secure Wireless Infrastructure
Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers I’m an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot

16 Aruba WLAN Switch/Controller-based Implementation
The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the wired network Emory’s Internal Network Authenticated User SSID: EmoryUnplugged Aruba WLAN Switch/Controller w/ Built in Firewall and Per User Access Control “Thin” Access Point Internet Guest User SSID: EmoryGuest

17 Migrating to “New” Security Models
Some History Emory originally settled on an Open System/VPN authentication/access Model in 2004 As we grew, VPN was OK, but not great The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring 2006 Directive for completion by January 1, 2007

18 Changing Security Models
Least impact on clients Clients DO have to change Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over Emory used Winter Break ‘06 as the cut-over Run both models for the transition period Market, market, market the change and why it’s better

19 Poster Example

20 Poster/Ad Example

21 Emory’s Transition Timeline
Fall 2005 – Started piloting new model Developed configuration handouts and tools January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May) Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – blast informing students of impending change in Fall 2006 Fall Semester 2006 (Sept-Dec) Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students Held additional configuration clinics in high use areas Mid & Late Semester – blasts to know users of old security model informing them of model “sunset” Winter Break 2006 – Removed old security model access globally Result: No logged complaints

22 VPN Usage Graph Thanksgiving 2005 Winter Break 2005 Spring Break 2006
Oct 2005 to Feb 2007 Thanksgiving 2005 Winter Break 2005 Spring Break 2006 Summer Break 2006 Move-in Weekend 2006 Thanksgiving 2006 Winter Break 2006

23 Wireless Security – Protecting Yourself
Internet There 3 main areas to address: Protect data as it travels from source to destination Protect the client from unauthorized access Protect the network from unauthorized/compromised users “Real” Access Point “Real” Wireless User Eavesdropping Integrity (tampering) Denial of Service (DoS) MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares

24 Safe HotSpot Wireless Computing
Assume the network connection is HOSTILE - practice safe computing! Enable/use Personal Firewalls Properly configured for “Internet” or untrusted connection Configure your Wireless Client Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs Your organization’s VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as SpotLock Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe!

25 Safe SOHO Wireless Computing
On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) On your router: Please. Please, Please - Change your router’s default configuration CHANGE THE PASSWORD FROM THE DEFAULT Change the SSID from the default Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has upper/lower case, numbers, and punctuation. Example: “Emory\University/Rox*My<2>smallW0RLD!!!Yeah!” WPA-PSK can be subject to dictionary attacks, so misspelled words, added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember Scan the airwaves around your home or office with NetStumbler to see what channels are open

26 Recap Why we need security for wireless networks
Different security models Strengths & weaknesses Implementation Migrating to a New Security Model Basic wireless security methods for home and hotspots

27 Wireless Security In an Education Environment
? Questions & Discussion Presentation Evaluation URL:

28 Bibliography & Resources
CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs Books Real Security, Wi-Foo, CWNA/CWSP/CWAP Study Guides, Hacking Wireless Networks for Dummies Websites, and others (hit the forums for good information) Manufacturers Cisco, Aruba, Meru, Trapeze

Download ppt "Wireless Security In an Education Environment"

Similar presentations

Ads by Google