Presentation on theme: "802.1x What it is, How it’s broken, and How to fix it."— Presentation transcript:
1802.1x What it is, How it’s broken, and How to fix it. Bruce PotterThe Shmoo GroupPractitioner, not researcherTalk will focus on the operational impact of 802.1x, not the low level technical breakdown.
2Drive 12 miles to work in Northern VA, much of it through un-developed land. In Sept, there were 12 AP’s. In May there were 50.
3Why Wireless? No cable plant Enhanced mobility Ad hoc relationships Lower cost (initially… TCO may be higher)Rapid deploymentEnhanced mobilityAd hoc relationshipsMany different requirementstalk about TCO
4Why Not Wireless No physical security Low throughput Unregulated, noisy bandsSnooping raw packets is trivial
5802.11, b, etc.IEEE standard – based on well known Ethernet standards– FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS)Limited to 2Mb/s due to FCC limits on dwell times per frequency hop802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-HocUp to 11Mb/sAlso known as Wi-Fi802.11a and g
6An Association Associations are a basic part of 802.11 Client Requests authenticationAP responds with auth type (Open/WEP)Authentication is performedIf successful, then Association is requested and grantedSSID is sent in the clear, so not advertising SSID is NOT a valid security mechanism
7General Principles Deal with the basics IntegrityProtecting your packets from modification by other partiesConfidentialityKeeping eavesdroppers within range from gaining useful informationKeeping unauthorized users off the networkFree Internet!Risks to both internal and external networkAvailabilityLow level DoS is hard to preventLike any other environment, there are no silver bullets
9WEP In a Nutshell 40 bits of security == 64 bits of marketing spam. Not just encryption, also rudimentary authentication of AP’s and clients.
10Thoughts on WEPKey management beyond a handful of people is impossibleToo much trustDifficult administrationKey lifetime can get very short in an enterpriseNo authentication for management framesNo per packet authFalse Advertising!!!
11What is Lacking? Scalability Protection for all parties Many clientsLarge networksProtection for all partiesEliminate invalid trust assumptions
12802.1xPort based authentication for all IEEE 802 networks (layer 2 authentication)Originally for Campus networksExtended for wirelessAllows for unified AAA servicesProvides means for key transportNOT A WIRELESS PROTOCOL!!!Does not specify means for key transport
13May not be Access Point… Originally it was a wired switch.
16EAP Extensible Authentication Protocol Originally designed for PPP Shoehorned into 802.1xSwitch/Access point is a pass through for EAP traffic. New authentication mechanisms do not require infrastructure upgradesLEAP – Cisco’s Lightweight EAPPassword based and (relatively) widely availableDe facto mechanism between AS and AServ is RADIUS
18EAP MethodsEAP-TLS: Uses certs! If implemented properly, solves many problemsTTLS – Tunneled TLS. Allows encapsulation of other auth mechanisms.“machine” auth’d by TLS, person by the tunneled protocolPEAP – IETF DraftLike TTLS but with another EAP method encapsulatedTLS/TTLS and others require certsWe all have a PKI setup, right? and use it properly and regularly?
19What’s Right Protection of the infrastructure Authentication mechanism canchange as neededaddress flaws in existing wireless securityLightweightNo encapsulation, no per packet overhead… simply periodic authentication transactions
20What’s RightIn controlled environment, risks can be mitigated by higher level protocolsVPN/SSL/SSHNOTE: exchange of WEP key material is not part of 802.1x specificationRemember: designed for wired campus networks
21What’s Right Association happens BEFORE 802.1x transaction. Good: If 802.1x session is protected by default WEP key then the attacker must first compromise the WEP key to make use of 802.1x vulnsBad: Key management anyone? Just how does the default key get there?
22What’s Wrong www.missl.cs.umd.edu/wireless/1x.pdf First Open source supplicantFirst holes in 802.1xOne way authenticationLess of a concern in LAN environmentTraffic InterceptionSession Highjacking
23What’s Wrong – Technical One way AuthenticationGateway authenticates the clientClient has no explicit means to authenticate the GatewayRouge gateways put client at riskRemember – the loudest access point winsStill no Authentication of management frames (assoc/deassoc/beacons/etc…)Some EAP methods provide mutual authentication… but it’s not a requirement.
24What’s Wrong - Technical MITMSend “Authentication Successful” to clientClient associates with malicious APHijackingSend deassociation message to client… AP is in the darkChange MAC to client and have live connection
25What’s Wrong – Technical RADIUS uses shared secret with the AuthenticatorSame issue as WEP, but on a more reasonable scaleAuthentication after association presents roaming problemsAuthentication takes a non-trivial amount of time… can disrupt data in transitFailure of RADIUS server == failure of networkMany AP implementations don’t allow multiple RADIUS serversMost RADIUS server failover is non-transparent
26What’s Wrong – touchy feely They forgot about the client (trust assumptions)Everyone is ask riskEveryone is a threatLack of physical security requires encrypted channel to secure 802.1xWired “port” is not the same as wireless “port”Protocol designed to not require hardware replacementLeads to less than stellar solution, esp WRT authentication of management frames.
27What’s Wrong – touchy feely Extensibility leads to complexityComplexity leads to mistakes in implementationRead the MS Guide on create EAP methods as an example.Multivendor support is difficultUsing a shoehorn to force protocols to work together leads to problems
28Why Did it Go Wrong? 802.1x – Designed for Campus networks EAP – Designed for PPPNEITHER designed with wireless threat model in mindLesson: Don’t apply old protocols to new problems without understanding the risk.
29Where Are We Today? Several 802.1x implementations available Windows XP (not PocketPC 2002)Open1x.orgEAP implementationsWindows IASFreeRADIUS – MD5 and TLSCiscoOther RADIUS serversNOTE: highest risk applications don’t have 802.1x – Pocket PC2k
30Where Are We Today? 802.1x capable Access Points Cisco Lucent RG1000/RG1100 can be hacked with AP500 firmware to become 1x capableSome drawbacksOS authenticator from open1x.orgothers
31What’s Next Integration of existing solutions to “raise the bar” Limited 802.1x implementations802.11i (Task Group I – Security)On track… the right trackMutual auth, per packet auth802.1x a part of
32What’s Next WEP has the right idea End to End Solutions ala SSL, SSH, IPSecNot likelyPocketPC2k2 doesn’t have a robust cert infrastrucuture.
33Temporal Key Integrity Protocol Fast Packet KeyingPacket MACDynamic RekeyingKey distribution via 802.1x3Q product deploymentStill RC4 based to be backward compatibleAES with 802.1x keying in the distant future