Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing your wireless LAN Paul DeBeasi VP Marketing

Published byTimothy Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing your wireless LAN Paul DeBeasi VP Marketing"— Presentation transcript:

1 Securing your wireless LAN Paul DeBeasi VP Marketing Email: pdebeasi@legra.compdebeasi@legra.com

2 Pop quiz At the end of this presentation you will… A.Think you are an expert in all aspects of wireless security. B.Decide that WLANs can never be secure enough for enterprise deployment. C.Become aware of WLAN security risks and approaches for risk mitigation. D.Need a no-whip, triple-shot, cappuccino.

3 Wireless vulnerabilities Theft of service –No security –Key derivation –MAC spoofing –Rogue WLANs –Default SSID –Ad-hoc networks Session hijacking –Man in the middle attacks Deny/degrade service –RF interference/jam –Bit flipping –Disassociation attack –EAP attacks Network eavesdropping –RF Monitors Infrastructure attack –Default passwords

4 Security Concepts Authentication Something you are, you have, you know Data Privacy Keeping your data hidden from prying eyes Data Integrity Prevent data tampering Authorization Control access to network resources

5 Evolution of WLAN security

6 WEP Wired Equivalent Privacy –Protect from eavesdropping “Good enough” privacy –U.S. export control law restrictions in 1999 Network-wide shared key –All packets encrypted IV (24 bits) WEP Key (40 or 104 bits) RC4 Key stream Clear text XOR Encrypted text

7 What’s wrong with WEP? (a lot!) Turned off by default pray –Plug and pray mobility Authentication –No user authentication Encryption –WEP key can be broken in a few hours Data integrity –CRC (cyclic redundancy check) susceptible to bit flipping Difficult to update keys –Must manually change every station

8 WEP/802.11 recommendations Turn on WEP –Better than no security at all Change default SSID –And, don’t use a name like “finance-network” Disable SSID beaconing –Make it difficult for attackers to find your WLANs Change default key –And, change the key frequently Use MAC address filtering –More useful for small deployments

9 Evolution of WLAN security

10 802.1x and EAP Campus Network Authentication Server SupplicantAuthenticator 802.1x defines EAPOL (Extensible Authentication Protocol over LAN) –Provides centralized authentication and dynamic key exchange –EAP packets carried at the MAC layer, embedded in RADIUS commands EAP is extensible –Most common examples: EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP EAPOL RADIUS EAP- (TLS, TTLS, PEAP, LEAP)

11 802.1x and EAP – benefits Centralized authentication –Per user authentication and resource allocation –Authentication server and supplicant authenticate each other –Effectively eliminates Man-in-the-middle attacks Centralized key management –Derived unique per user session key Centralized policy control –Session time-out and automatic key redistribution (“dynamic WEP”) –VLAN assigned by the Authentication server Campus Network Authentication Server SupplicantAuthenticator

12 EAP Types – variations on a theme EAP over TLS (EAP-TLS) –IETF standard (RFC 2716) –Uses digital certificates for both user and server EAP over Tunneled TLS (EAP-TTLS) –IETF draft (Funk), only the server needs to have a certificate –Supports password or token based authentication within a protected tunnel Protected EAP (PEAP) –IETF draft (Cisco, Microsoft, RSA), only the server needs to have a certificate –Supports various EAP-encapsulation methods within a protected tunnel Cisco LEAP –Proprietary solution for mutual authentication –Supports various EAP-encapsulation methods within a protected tunnel –Vulnerable to ASLEAP dictionary attack

13 Virtual private networks An alternative approach –Treats wireless as an “un-trusted” network –IETF standard - layer 3 authentication & encryption Challenges –Vulnerable at layer 2 Rogue AP Layer 2 session hijacking DOS attacks against wireless stations or VPN device –Can be difficult to manage and to scale Campus Network VPN Server Client software IPSec

14 Comparing the options TLSTTLSPEAPLEAPIPSec EncryptRC4 3DES/AES User KeysYes Client software ManyFUNK, MeetingH ManyCiscoMany Auth. Server software ManyFUNK, MeetingH ManyCiscoMany Client certificates Req.Optional NoOptional Server certificates Req. NoOptional Cisco, Microsoft, RSA supported

15 802.1x and VLANs Centralized policy control –Per-user VLAN Policy improves traffic control –Timer-based key rotation reduce WEP key risk Wireless switch Engineering Marketing Engineering Marketing Engineering Authentication Server - VLAN ID - re-key

16 802.1x, VLAN, VPN & EAP Recommendations 802.1x –Strongly recommended to deploy 802.1x –Provides centralized management/policy control VPN –If you chose to use VPNs then be sure to use 802.1x too VLAN –Deploy per-user VLAN policy via the authentication server EAP –Consider EAP-TLS if certificate infrastructure in place –Avoid LEAP if standards-based solutions are important –TTLS and PEAP are very similar/competing approaches

17 Evolution of WLAN security

18 Wi-Fi Protected Access (WPA) Authentication –802.1x port based authentication at layer 2 –Works with EAP methods Data Privacy –TKIP (Temporal Key Integrity Protocol) –Bigger Initialization Vector; 48 bits versus 24 bits –Per-user keying & key rotation with every packet –Requires hardware acceleration Data integrity –MIC (Message Integrity Code) algorithm –Fixes flaws in the CRC algorithm used in WEP. WPA IEEE 802.11i Draft 3 802.1x TKIP MIC

19 WPA recommendations Use it if you can –Many devices/NICs do not yet support WPA Network interface cards –Ensure the card supports WPA, some never will Operating systems –Microsoft XP supports WPA –See Meetinghouse and Funk for other OS clients Authentication servers –Make sure they support EAP types Network infrastructure –Make sure the hardware supports WPA

20 Evolution of WLAN security

21 802.11i / WPA2 The future of 802.11 security –Still in draft form at the IEEE 802.11i working group –Expected to be complete in 2004 Uses Advanced Encryption Standard (AES) encryption –Approved by NIST (National Institute of Standards and Technology) –As secure as 3DES, but requires less computational power –Includes integrated data integrity –Also known as the “Rjindael” algorithm Make sure that new hardware is 802.11i-ready –Must support AES cryptography acceleration now

22 Checklist for securing your WLAN  WEP  Turn on WEP, change key  Change default SSID  Disable SSID beacon  802.1x, VLAN, VPN  Use 802.1x with PEAP  Use L2 security if using VPN  Integrates with your VLAN’s  WPA  Require WPA certification  Don’t use pre-shared keys  Look for hardware acceleration  IEEE 802.11i (WPA2)  Uses new AES cipher  Not yet standardized  Use 802.11i-ready equipment Pop Quiz answer is… C. Become aware of WLAN security risks and approaches for risk mitigation.

23 Useful links http://www.legra.com –Security white papers and resource center http://wlanswitch.com –WLAN BLOG with vendor neutral commentary & links to other useful sites http://www.drizzle.com/~aboba/IEEE/ –The unofficial 802.11 security page http://www.netstumbler.com/ –Commonly used “war driving” tool http://wepcrack.sourceforge.net/ –Commonly used tool to break WEP keys http://www.wifialliance.com/opensection/certified_products.asp –WiFi Alliance list of certified products http://www.unstrung.com/document.asp?doc_id=41185 –“Look before you leap” article that discusses how LEAP was cracked.

24

Download ppt "Securing your wireless LAN Paul DeBeasi VP Marketing"

Similar presentations

IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

Similar presentations

Ads by Google