Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN.

Published byPolly Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN."— Presentation transcript:

1 Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN wireless Security

2 Exam Essentials Define the concept of AAA. –Be able to explain the differences between authentication, authorization, and accounting and why each is needed for a WLAN network. Explain why data privacy and segmentation are needed. –Be able to discuss why data frames must be protected with encryption. Know the differences between the various encryption ciphers. Understand how VLANs and RBAC mechanisms are used to further restrict network resources. Understand legacy 802.11 security. –Identify and understand Open System authentication and Shared Key authentication. Understand how WEP encryption works and all of its weaknesses. Explain the 802.1X/EAP framework. –Be able to explain all of the components of an 802.1X solution and the EAP authentication protocol. Understand that dynamic encryption key generation is a by-product of mutual authentication.

3 Exam Essentials Define the requirements of a robust security network (RSN). –Understand what the 802.11-2007 standard specifically defines for robust security and be able to contrast what is defend by both the WPA and WPA2 certifications. Understand TKIP/RC4 and CCMP/AES. –Be able to explain the basics of both dynamic encryption types and why they are the end result of an RSN solution. Explain VLANs and VPNs. –Understand that VLANs are typically used for wireless segmentation solutions. Define the basics of VPN technology and when it might be used in a WLAN environment.

4 Wireless Security Data Privacy and Authentication What attacks are there What defenses are there

5 802.11 Security basics Data Privacy Authentication, Authorization, Accounting Segmentation Monitoring Policy Pg 438

6 802.11 Security basics Wireless tend to be a portal to existing, secure networks Wireless needs to be protected as well –Too easy to capture Use authorization to prevent access to internal network resources –Then regular authentication for network resources 802.11i and the RSN improved the reputation of wireless Pg 438

7 Data Privacy Since wireless is in unlicensed frequency, easy to detect transmissions Data privacy is used to restrict access to the data –Encryption Algorithms –RC4 and AES Management Frames not encrypted The MSDU from the data frames is encrypted –Layer 2 encryption Pg 439

8 Authentication, Authorization, Accounting (AAA) Authentication –Verification of user identity and credentials Authorization –Granting access to network resources based on authentication Accounting –Tracking the use of network resources by users Pg 439

9 Authentication, Authorization, Accounting (AAA) 802.11i and the RSN provided AAA standards for wireless networks Accounting trail is necessary for many government regulation Pg 439

10 Segmentation Before good encryption on wireless networks, they were segmented (separated) from wired –Untrusted Still important to keep different kinds of traffic separate on the networks –Firewalls, routers, VPNS, VLANS –Wireless VLAN is mores common Related to Role Based Access Control (RBAC) Pg 440

11 Monitoring and Privacy Need to monitor network to prevent attacks Using a Wireless Intrusion Detection system can help Pg 440

12 Legacy Security Open System Authentication –Null authentication, everyone gets in Shared Key –Used the WEP key as source WEP key was static, and same for everyone. –Major security risk. Pg 440

13 Static WEP Wired Equivalent Privacy is layer 2 encryption –RC4 with 64 or 128 bit key Confidentiality, access control and data integrity were goals Static WEP was on both AP and clients –Up to 4 keys, but all must match Pg 442

14 Static WEP Pg 442 WEP runs a cyclic redundancy check (CRC) on the plaintext data that is to be encrypted and then appends the Integrity Check Value (ICV) to the end of the plaintext data. A 24-bit cleartext Initialization Vector (IV) is then generated and combined with the static secret key. WEP then uses both the static key and the IV as seeding material through a pseudorandom algorithm that generates random bits of data known as a keystream. These pseudorandom bits are equal in length to the plaintext data that is to be encrypted. The pseudorandom bits in the keystream are then combined with the plaintext data bits by using a Boolean XOR process. The end result is the WEP ciphertext, which is the encrypted data. The encrypted data is then prefxed with the cleartext IV. Figure 13.3 illustrates this process.

15 Static WEP Attacks –IV Collisions –Weak Key –Reinjection –Bit-Flipping Easy to crack WEP Pg 442

16 MAC Filters Have AP use only approved MAC addresses –Not part of the standard Too easy to spoof a MAC address –Use protocol analyzer to grab MAC address and then use it on your own machine Pg 444

17 SSID Cloaking Hide the SSID The SSID field appears blank in beacon frames and probe responses A protocol Analyzer will see the SSID field in actual data frames Pg 444

18 Robust Security The 802.11-2007 standard defines an enterprise authentication method as well as a method of authentication for home use. Requires the use of 802.1x/EAP for enterprise and use of PSK for SOHO Strong Encryption required as well –CCMP/AES –TKIP/RC4 Pg 445

19 Robust Security WiFi Alliance created WPA and WPA2 –WPA before 802.11i –WPA2 after Pg 445

20 Robust Security Network Robust Security Network Associations –How two stations authenticate and associate –Create dynamic encryption through a 4 way handshake CCMP/AES is mandatory TKIP/RC4 is optional RSN field is in the beacon –RSN Information Elelement –Defines supported cipher elements Pg 446

21 802.1x/EAP Not specific to wireless Port based authentication Three players Supplicant –Client that wants access Authenticator –System that accepts requests (AP) Authentication Server –Database of users –RADIUS server Pg 446

22 802.1x/EAP Pg 446

23 802.1x/EAP EAP allows for different authentication systems to be used Defines when traffic moves from the uncontrolled to the controlled port Pg 446

24 EAP Types Many EAP types –LEAP,PEAP, etc One way or mutual authentication –Mutual authentication usually requires the AP to provide a digital certificate to client that they can verify Pg 450

25 Dynamic Encryption Since 802.1x/EAP can provide for distribution on certificates it is often used to help with encryption Generate encryption keys during the authentication process –Much better than a static key that is used by everyone Keys are generated per session/per user –Every authentication, new key Pg 450

26 4 Way Handshake The RSNA process creates multiple keys –Group Master Key (GMK) –Pairwise Master Key (PMK) PMK can also be created from a Pre-Shared Key (PSK) Pg 452

27 WPA/WPA-2 Personal In 802.1x/EAP you need an authentication server –Like RADIUS Most SOHO implementations use pre- shared Keys (PSK) –PSK is still a security risk PSK isn’t used for encryption on all stations –Each creates own encryption keys Pg 453

28 Encryption Options TKIP uses RC4 –Like WEP –Optional solution Can help legacy devices support better encryption than WEP CCMP/AES –Much more secure –Requires hardware support Pg 453

29 Segmentation Dividing up network to restrict access to resources –VLANs –RBAC Pg 454

30 VLANs Common on wired networks With 802.11, map VLAN to specific SSIDs APs can support multiple SSIDs –Wireless VLANS Each VLAN has different access to internal network and other networks Pg 457

31 VLANs

32 RBAC Restrict Access to authorized users When set up with a WLAn controller, RBAC can divide access based on users, roles or permission Roles like sales or marketing Permissions –Layer 2 or 3 access –Layer 4-7 firewalls –Bandwidth When user authenticates, their access is dependant on user credentials –Like traditional wired networks Pg 457

33 Infrastructure Security Physical –Don’t want expensive APs walking away Interface Security –Limit access to the management functions –Turn off the ones not in use Pg 458

34 VPN Wireless Security VPNs were often used by systems before 802.11i Not recommended now since there are other measures Still required for remote access –When connecting through Public Hot Spots Pg 459

35 Layer 3 VPN VPNs use secure tunneling –Encapsulate one network layer packet in another –Encapsulated packet has “hidden” data Outside packet has public addresses for transmitting over network. Pg 459

36 Layer 3 VPN Pg 459

37 Exam Essentials Define the concept of AAA. –Be able to explain the differences between authentication, authorization, and accounting and why each is needed for a WLAN network. Explain why data privacy and segmentation are needed. –Be able to discuss why data frames must be protected with encryption. Know the differences between the various encryption ciphers. Understand how VLANs and RBAC mechanisms are used to further restrict network resources. Understand legacy 802.11 security. –Identify and understand Open System authentication and Shared Key authentication. Understand how WEP encryption works and all of its weaknesses. Explain the 802.1X/EAP framework. –Be able to explain all of the components of an 802.1X solution and the EAP authentication protocol. Understand that dynamic encryption key generation is a by-product of mutual authentication.

38 Exam Essentials Define the requirements of a robust security network (RSN). –Understand what the 802.11-2007 standard specifically defines for robust security and be able to contrast what is defend by both the WPA and WPA2 certifications. Understand TKIP/RC4 and CCMP/AES. –Be able to explain the basics of both dynamic encryption types and why they are the end result of an RSN solution. Explain VLANs and VPNs. –Understand that VLANs are typically used for wireless segmentation solutions. Define the basics of VPN technology and when it might be used in a WLAN environment.

Download ppt "Chapter 13-802.11 Network Security Architecture 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN."

Similar presentations

Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Similar presentations

Ads by Google