Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security
2 Your Building Public Parking
3 Wireless LANs provide several security features. A “hidden” Service Set Identifier (SSID) MAC address filtering Authentication Encryption
4 Hidden vs. Non-hidden SSID Some believe that hiding the SSID is a good security measure, since it requires users to know the SSID in order to connect to an Access Point. Tools are now readily available that can “snoop-out” these hidden Access points. In view of this, many now say that you should openly broadcast the SSID.
5
6 MAC Address Filtering You manually enter the MAC address of every authorized user’s wireless network adapter into the Access Point. Must be updated as user come and go and when equipment is replaced. MAC address spoofing is still possible.
7
8 Authentication The process of verifying identity. A way to prove to one entity that another entity is who it claims to be. User ID and password are a rudimentary form of authentication. MAC address filtering is another.
9 Remote Authentication Dial-In User Service (RADIUS) Protocol Centralizes authentication and permissions into a single server. Authenticates MAC addresses Associate clients with keys or passwords Secures the wireless LAN against hackers.
10 Encryption Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) IEEE i
11 Wired Equivalent Privacy (WEP) The original native security mechanism for based WLANs. It initially claimed to give the wireless LAN the same level of privacy as the wired LAN. It proved to be vulnerable. Probably still suitable for most home use. At the Enterprise level, it must not be used alone, but can be used in combination with other techniques to add an additional layer of protection.
12
13
14 Wi-Fi Protected Access (WPA) Developed by the Wi-Fi Alliance in conjunction with IEEE. A subset of the much more extensive i. Said to be forward compatible with i.
15 WPA improves on WEP by: Enhanced data encryption. Authentication mechanism added. Message Integrity Check (MIC)
16 Message Integrity Check (MIC) Prevents an attacker from capturing data packets, modifying them, and resending them. The transmitter computes and transmits a special Message Integrity Check (MIC) code along with each packet. The code is based on the content of the package. The receiver computes the MIC code. If the two MICs codes do not match, the packet is rejected.
17 WPA=TKIP+EAP+MIC Temporal Key Integrity Protocol (TKIP) – Solves the key and encryption weaknesses associated with WEP. Extensible Authentication Protocol (EAP) – Adds authentication. Message Integrity Check (MIC) – Rejects packets which have been captured, modified, and resent.
18 WPA’s Home Mode Intended for Small Office/Home Office (SOHO) Networks which can not afford a separate authentication server. Allows manually entered keys or passwords to act as the authentication mechanism.
19 IEEE i Security specification currently under development by IEEE. Better encryption and authentication. Secure IBSS, secure hand-offs when roaming, and advanced encryption techniques.
20 Virtual Private Network (VPN) Capability readily available on modern operating systems. Creates a private link through a public network. Original designed for privacy across public phone lines and across the Internet. Often used as an additional layer of protection on wireless LANs.
21 Virtual Private Network (VPN) Encryption Authentication Encapsulation
22 Encapsulation The process of placing packets of one protocol inside the packets of another protocol. Used for transporting Protocol-A across a network that recognizes only Protocol-B. Example – NetBEUI packets can be encapsulated inside TCP/IP packets for transport over the Internet.
23 DATAHT NetBEUI Packet DATAHT TCP/IP Packet Header Trailer
24 NetBEUI Packet HT TCP/IP Packet DATAHT TCP/IP Data Field
25 TCP/IP Packet HT Line Protocol Packet DATAHT Line Protocol Data Field
26 Communications Protocols Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IP Security (IPsec) Protocol
27 Serial Line Internet Protocol (SLIP) Used for making a connection over a serial interface to a remote network. Supports TCP/IP only. Systems that use SLIP require a static IP address. Has been largely phased out in favor of PPP.
28 Point-to-Point Protocol (PPP) Has replaced SLIP in all but the oldest connections. It supports NetBEUI and IPX as well as TCP/IP. It supports dynamic IP addressing.
29 Point-to Point Tunneling Protocol (PPTP) Developed by Microsoft. Supported by Microsoft products and by Linux. Works with PPP to create a secure path through the Internet called a “tunnel.” Allows you to use the Internet as though you are using your own private network. Creates a Virtual Private Network (VPN).
30 Private Network Headquarters Branch Office Leased Line
31 The Dial-Up Network Headquarters
32 The Virtual Private Network (VPN) Headquarters Internet
33 The PPTP Client Process Establish the PPP connection. Establish the PPTP connection. PPTP Packet Tunneling
34 Advantages of PPTP Convenience and low cost of the Internet. Security of a Private Network. Allows multi-protocol encapsulation. Uses the Internet as a backbone for carrying TCP/IP, IPX, and NetBEUI. Supported by Microsoft products such as Windows NT, Windows 98, Windows 2000 and Windows XP.
35 Layer 2 Tunneling Protocol (L2TP) An extension of PPP, it provides a method for encapsulating standard PPP through a variety of media. Combines the best features of PPTP and a Cisco Systems protocol called L2F. More secure than PPTP. It requires that your ISP supports this protocol. Its main function is to create a virtual private network (VPN).
36 IP Security (IPsec) Protocol A set of protocols used to implement virtual private networks. Provides two levels of encryption. Requires that both the sending and receiving devices share a public key. Can transmit only IP packets.
37 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Extensible Authentication Protocol (EAP)
38 Password Authentication Protocol (PAP) User’s ID and Password are sent to server for authentication. Because they are not encrypted, PAP is not very secure.
39 Challenge Handshake Authentication Protocol (CHAP) The server first authenticates the user by the User’s Name. Password is used as the Encryption Key, so that the Password is never sent across the remote access connection.
40 Extensible Authentication Protocol (EAP) New and stronger security and authentication schemes are constantly evolving. Allows the OS to plug in new and better authentication schemes as they are developed. Supports Security Certificates. Used mostly in Corporate settings.
41 VPN in the Wireless LAN Access Point (AP) VPN Server Switch VPN Client
42 Wireless Security Practices Password Protect Wireless Laptops. Change Default Parameters of Wireless Equipment. If possible, use encryption that is better than WEP. Even with its weaknesses, it is still a good idea to use WEP. Beware of mixed WEP and WPA deployment.
43 Wireless Security Practices (Continued) Pay close attention to antenna selection and placement. Never assume range is a security barrier. Enable the filtering capabilities of your equipment. Beware remote administration of access points. Beware of “rogue” access points.
44 Password Protect Wireless Laptops.
45 Change Default Parameters of Wireless Equipment.
46 If possible, use encryption that is better than WEP.
47 Even with its weaknesses, it is still a good idea to use WEP.
48 Beware of mixed WEP and WPA deployment.
49 Pay close attention to antenna selection and placement.
50 Never assume range is a security barrier.
51 Enable the filtering capabilities of your equipment.
52 Beware remote administration of access points.
53 Beware the Ad-Hoc Mode.
54 Use as little power as needed.
55 Beware of “rogue” access points. Ignorance Malice
56 Now, it’s your turn.