Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security – Let the Nightmare End! Steve Lamb IT Pro Security Evangelist

Published byVernon Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "Wireless Security – Let the Nightmare End! Steve Lamb IT Pro Security Evangelist"— Presentation transcript:

1 Wireless Security – Let the Nightmare End! Steve Lamb IT Pro Security Evangelist http://blogs.technet.com/steve_lamb stephlam@microsoft.com

2 Agenda What’s wrong with wireless out of the box? Protected Extensible Authentiction Protocol(PEAP) Extensible Authentiction Protocol - Transport Layer Security(EAP-TLS)

3 PKI References "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on http://www.microsoft.com/pki http://www.microsoft.com/pki

4 Agenda What’s wrong with wireless out of the box? Protected Extensible Authentiction Protocol(PEAP) Extensible Authentiction Protocol - Transport Layer Security(EAP-TLS)

5 The challenge Huge fear of wireless Rooted in misunderstandings of security Wireless can be made secure Takes work Need to understand problem Need to plan for secure solution

6 Securing Wireless Need to control who and with what (authenticate) Need to control what they access (authorise) Ensure integrity of communications (Encrypt) Ensure safe transfer of credentials (Encrypt Authentication) Need to audit and report

7 WEP setup and RC4 Secret key shared between access point and all clients Encrypts traffic before transmission Performs integrity check after transmission WEP uses RC4, a stream cipher [key] XOR [plaintext]  [ciphertext] [ciphertext] XOR [key]  [plaintext]

8 Common attacks Bit-flipping (encryption ≠ integrity) Flipping bit n in ciphertext flips same bit in plaintext Statistical attacks Multiple ciphertexts using same key permit determination of plaintext XOR Enables statistical attacks to recover plaintext More ciphertexts eases this Once one plaintext is known, recovering others is trivial

9 WEP’s “defenses” Integrity check (IC) field CRC-32 checksum, part of encrypted payload Not keyed Subject to bit-flipping  can modify IC to make altered message appear valid Initialization vector (IV) added to key Alters key somewhat for each packet 24-bit field; contained in plaintext portion Alas, this small keyspace guarantees reuse

10 More IV problems Say an AP constantly sends 1500-byte packets at 11mbps Keyspace exhausted in 5 hours Could be quicker if packets are smaller Key reuse causes even more collisions Some cards reset IV to 0 after initialization Some cards increment by 1 after each packet 802.11 standard does not mandate new per- packet IV!

11 Classes of attacks Key and IV reuse Known plaintext attack Partial known plaintext attack Weaknesses in RC4 key scheduling algorithm Authentication forging Realtime decryption

12 VPNs ProsFamiliarity Hardware Independent Proven Security Cons Lacks user transparency Only user logon (not computer) Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop No reconnect on resume from standby Complex network structure

13 VPNs More Cons No protection for WLAN Bottleneck at VPN devices Higher management & hardware cost Prone to disconnection Yet more cons! (non-MS VPNs) 3 rd party licensing costs Client compatibility Many VPN auth schemes (IPsec Xauth) are as bad as WEP!

14 Agenda Public Key Infrastructure and Cryptography(PKI) What’s wrong with wireless out of the box? Protected Extensible Authentiction Protocol(PEAP) Extensible Authentiction Protocol - Transport Layer Security(EAP-TLS)

15 PEAP encapsulation 1. 1. Server authenticates to client 2. 2. Establishes protected tunnel (TLS) 3. 3. Client authenticates inside tunnel to server No cryptographic binding between PEAP tunnel and tunneled authN method Fix: constrain client (in GPO) to trust only a specific corporate root CA Foils potential MitM attacks

16 The many flavors of PEAP… Common point of customer confusion: Microsoft released PEAPv0 (a.k.a MSFT-PEAP) while… Cisco released PEAPv1 (a.k.a Cisco-PEAP) Support for PEAP Most RADIUS servers on market now support PEAP version 0: Cisco ACS (RADIUS server) Funk Steal Belted RADIUS Interlink RADIUS MeetingHouse RADIUS PEAP is supported in the following families: Natively - Microsoft® Windows® 2003, Windows XPSP1+, Windows® 2000 SP4, Tablet Application or system upgrade - Windows 98, Windows NT 4.0 and Pocket PC 2002 Internet Authentication Service (IAS) in Microsoft® Windows® 2000 Server family and Windows Server® 2003 family support PEAP no need to install third party RADIUS software.

17 Agenda What’s wrong with wireless out of the box? Protected Extensible Authentiction Protocol(PEAP) Extensible Authentiction Protocol - Transport Layer Security(EAP-TLS)

18 Ethernet Access Point Radius Server 802.1X On 802.11 EAPOL-Start EAP-Response/Identity Radius-Access-Challenge EAP-Response (credentials) Access blocked Association Radius-Access-Accept EAP-Request/Identity EAP-Request Radius-Access-Request Radius-Access-RequestRADIUS Laptop computer Wireless 802.11 802.11 Associate EAP-Success Access allowed EAPOL-Key (Key)

19 Secure Wireless Deployment Components Wireless Clients Wireless Access Points Radio Types: 802.11 a/b/g Network Authentication: 802.1X, WPA, WPA2/802.11i* Encryption: WEP, TKIP, AES RADIUS Server RADIUSEAP/TLSPEAP-MSCHAPv2 Remote Access Policies User account database Remote Access permissions Credentials = Passwords Certificate Authority (optional) Credentials = Certificates

20 Secure Wireless Deployment MS Offerings Windows XP Windows Wireless Zero Config Native 802.1X, WPA, and soon WPA2* Certificates, Passwords, Smartcards, RSAToken** Wireless group policy AP Any Access Point supporting 802.11 and 802.1X standards Server 2003 IAS EAP/TLS (certificates/smartcard) PEAP (password) Remote access policies Radius proxy functions Improved scaling Server 2003 Active Directory Wireless group policy User and computer authentication Server 2003 Certificate Authority User and computer auto-enrollment

21 Secure Wireless Deployment Benefits Windows XP Integrated Windows Client Standards based security Evolving with the industry Seamless sign-on experience APInteroperability Server 2003 IAS SecurityManageability Policy-based access management Scalability Deep and wide Server 2003 Active Directory Centralized Administration Client configuration Access management Server 2003 Certificate Authority Automated client updating

22 Hidden SSID Does not provide any real security Easily discoverable in well-used environments Windows client experience is impacted MAC Filtering Does not scale NIC management issue MAC is spoofable “Shared” mode Sounds like more security but is actually worse Not to be confused with Pre-Shared Key (PSK) which is more secure Open networks and VPN’s Grants everyone access to the wireless segment Great for hotspots, not for your business Security Best Practices What NOT to do

23 Security Best Practices What to do Chose a security authentication WPA with EAP-TLS and both user and computer certificates WPA with PEAP-MS-CHAP v2 and enforce strong user passwords WEP with 802.1X authentication, EAP-TLS with both user and computer certificates, and periodic re-authentication WEP with 802.1X authentication, PEAP-MS-CHAP v2, periodic re- authentication, enforce strong user passwords Preventing rogues User education and policy Ongoing Monitoring Don’t use Hidden SSIDs Do use Wireless Group Policy

24 Install at least two IAS RADIUS servers For best performance, install IAS on domain controllers Use strong RADIUS shared secrets Use as many different RADIUS shared secrets as possible Use IAS RADIUS proxies to scale authentication traffic Use IAS RADIUS proxies for separate account databases Best Practices: Scalability Microsoft RADIUS – Internet Authentication Service (IAS)

25 IAS servers Wireless APs IAS RADIUS proxies Using IAS RADIUS proxies Load balancing of RADIUS traffic

26 IAS servers Forest 1 Forest 2 Wireless APs IAS RADIUS proxies Using IAS RADIUS proxies Cross-forest authentication

27 Best Practices: Management Use the Wireless Network (IEEE 802.11) Policies Group Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with your SSID If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and user accounts into a single group. Use certificate auto-enrollment for computer certificates Use certificate auto-enrollment for user certificates "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on http://www.microsoft.com/pki. http://www.microsoft.com/pki

28 Aligning with other security initiatives Network Health Compliance Lays down both the network infrastructure and ID Management elements needed for NAP (Network Access Protection) Preserves investment in infrastructure RADIUS is the center of policy making, enforcement and access control for Secure Wireless and NAP Single sign-on Secure Network Segmentation IPSec and 802.1X work together by providing a defense in depth strategy 802.1X – hard outside – offers isolation IPSec – hard inside – offers resource protection

29 Best Practices as applied to Microsoft

30 Microsoft IT Secure Wireless Deployment Wireless Clients Wireless Access Points 23-30K per day Network Authentication: 802.1X 300K authentications per day 300K authentications per day Encryption: dynamic WEP ~5000 802.11b Cisco APs 90 countries, 300+sites 90 countries, 300+sites Single SSID RADIUS Server Puget Sound 2 Proxy, 4 RADIUS servers Worldwide 5 Proxy/RADIUS servers EAP/TLS Remote Access Policies enforced User account database Remote Access permissions Group Policies for configuration Certificate Authority User and Machine Certificates Autoenrolled

31 Microsoft Future Wireless Deployment Wireless Clients Wireless Access Points Migration to 802.11i (WPA2) Thin AP/Wireless Switch Architecture Single Hardware Platform Multiple SSIDs, Independent services Voice, Guest and Corporate Network RADIUS Servers Independent RADIUS servers for each service Different Auth methods for each services Proxies to distribute load User account database Multiple ADs to support Guests and Corporate users. Certificate Authority User and Machine Certificates for corporate services Autoenrolled

32 Tools WEPCrack—breaks 802.11 keys http://wepcrack.sourceforge.net/ AirSnort—breaks 802.11 keys Needs only 5-10 million packets http://airsnort.shmoo.com/ NetStumbler—access point reconnaissance http://www.netstumbler.com

33 Resources The Advantages of Protected Extensible Authentication Protocol (PEAP) http://www.microsoft.com/windowsserver2003/techinfo/overvie w/peap.mspx http://www.microsoft.com/windowsserver2003/techinfo/overvie w/peap.mspx Designing and Deploying Wireless LAN Connectivity for the Microsoft Corporate Network http://www.microsoft.com/technet/prodtechnol/winxppro/deploy /wlandply.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/deploy /wlandply.mspx "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" http://www.microsoft.com/pki Best Practices article in Technet Magazine – Nov 2005 http://www.technetmagazine.com

34 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Wireless Security – Let the Nightmare End! Steve Lamb IT Pro Security Evangelist"

Similar presentations

Securing Your Wireless Network

Securing Your Wireless Network
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Implementing Security for Wireless Networks Presenter Name Job Title Company.

Implementing Security for Wireless Networks Presenter Name Job Title Company.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Similar presentations

Ads by Google