1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

Slides:



Advertisements
Similar presentations
Inter WISP WLAN roaming
Advertisements

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
802.1x EAP Authentication Protocols
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Fermilab VPN Service What is a VPN ?.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.
Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.
HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
1 PKI Update September 2002 CSG Meeting Jim Jokl
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 FirePass 6.0 Sales Training. 2 Agenda FirePass 6.0 Release Highlights Packaging & Pricing Product Availability Q&A.
WIRELESS LAN SECURITY Using
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
70-411: Administering Windows Server 2012
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Supercomputing Communications Data NCAR Scientific Computing Division NETS 12/10/ Network Engineering & Telecommunications Section Update Jim Van.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Cisco’s Secure Access Control Server (ACS)
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
PKI Activities at Virginia September 2000 Jim Jokl
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
Wireless Technology x: Wi-Fi Standards - Cutting Through The Confusion Rob Karnbach Wireless ME May 2003.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
LM/NTLMv1 Retirement Hosted by LSP Services.
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Virtual Private Networks
Module 9: Configuring Network Access
Microsoft Windows NT 4.0 Authentication Protocols
On and Off Premise Secure Access
Server-to-Client Remote Access and DirectAccess
September 2002 CSG Meeting Jim Jokl
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia

2 Background: UVa Wireless LAN Project  Deploy campus-wide Wireless LAN (WLAN) Initial focus on student areas Later emphasis on faculty/staff areas  Support multiple applications Focus on standard applications: , Web, login, file transfer, etc Don’t focus on applications such as video  Provide security Wireless really is different in this regard

3 UVa WLAN Summary  Access Point summary as of July access points in database with approximately 704 operational ~250 older Cisco b ( GHz) units Remainder are modern Cisco 1100/1200 series access points  G/B ( GHz)  A (45 5 GHz)  Still need to install A/G radios in some of the 1200s  Wireless security system Would have liked strong authentication and encryption for all WLAN access, however ……

4 Wireless Security Have to support “other” devices

5 Initial Wireless Security System  MAC address validation Users register the hardware address of their wireless adapter Provisions for anyone affiliated with the university to register cards for guests Supports “random” devices  Secured wireless via Cisco LEAP Password-based authentication Dynamic symmetric cipher keys Had expected this technology to be widely implemented by vendors

6 EAP-based Authentication Process Radius Servers UVa Network Access Point User

7 Authentication Transition  Combination of LEAP and MAC registration was OK for a couple of years  However LEAP never became mainstream and generally required a Cisco wireless card and software installation We had anticipated native LEAP support with Windows XP Final straw was a reported security vulnerability with the LEAP protocol

8 Wireless LAN Access Control EAP- MD5 LEAPEAP-TLSEAP- TTLS PEAP Server Authentic ation NonePassword Hash Public Key Supplicant Authentica tion Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS- CHAPv2 or Public Key Dynamic Key Delivery NoYes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack Source: wi-fiplanet.com

9 Background: UVa Standard Assurance CA (PKI-Lite)  On-line Web CA  Uses existing account information to validate user request  Computing ID, password, and some some database info checked  Certificate and chain automatically installed or PKCS-12  ~20k active certificates now

10 UVa EAP-TLS Wireless Authentication  User verifies the Radius server’s identity using PKI  The Radius server verifies the user’s identity using PKI  An LDAP-based authorization step happens  Association is allowed and dynamic session crypto keys are exchanged User Access Point Radius Server LDAP AuthZ

11 OS Support for EAP-TLS  Operating System Support Windows XP, Windows 2000 SP-4* MacOS (10.3.3) 3 rd party software available  Very easy to use No account management, passwords, etc Login to your workstation and secure wireless just works AuthZ step will make it easier to keep hacked machines off of the WLAN

12 EAP-TLS and the Microsoft Clients  Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal Name  OID If not present, uses CN  Uniqueness issues for many CAs Easy to add to certificate profile  Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile

13 Summary: Supported wireless “accounts” at UVa  EAP-TLS – our main wireless network Leverage PKI for user authentication on WinXP and MacOS 10.3 Dynamic session encryption keys  MAC Address restricted network Provides access control and limited authentication Especially useful for devices with limited functionality Now integrated with our main NetReg MAC address registration system  Guest MAC Access control and identification of UVa sponsor

14 UVa WLAN Authentication Transition  Transitioned to new authentication summer 2004 Added an EAP-TLS VLAN, removed LEAP  EAP-TLS is the authentication used on the broadcast SSID Main EAP-TLS issues encountered  Old drivers for user’s wireless cards  A few users still had certificates without Microsoft attribute  Macintosh a little harder since no Safari integration for certificate download and installation Retained a legacy MAC registration-only VLAN  For special devices that don’t support EAP-TLS  Non-broadcast SSID Transition completed by end of summer  Few hard problems encountered Will add EAP-TLS VLAN for access to UVa “More Secure” network once more AuthZ work is completed

15 Authentication on the UVa WLAN

16 Background: University of Virginia PKI  Project Goal Enable PKI support in a wide range of applications  Deploy two campus CAs to support two types of PKI-enabled applications Standard Assurance CA  For better security on common applications  Improve ease of use on some applications  Identity proofing marginally stronger than used with simple passwords High Assurance CA  For new applications requiring high security  Uses hardware tokens only - 2-factor authentication  Strong identity validation before certificate is issued

17 UVaAnywhere VPN Service  Our first PKI application  Certificate AuthN  Encrypted path to UVa network edge  On-campus IP address  Cisco 3000 concentrators  Adding LDAP AuthZ  IPSec and Cisco VPN client is only supported mechanism Internet Connections UVaNet UVaAnywhere Concentrators

18 UVaAnywhere-Lite  Just added new SSL VPN service For web applications only Uses existing Cisco 3000 concentrators PKI for authentication Uses LDAP for authorization Web VPN provides convenient pop-up box for navigation  Customized with library and department pages that point to their web resources

19 Remote Access to the More Secure Network Certificate AuthN and LDAP AuthZ Firewall VPN SMTP Relay LPR Relay “Less Secure” Network Level 1 “More Secure” Network Level 2 LDAP AuthZ

20 VPN PKI 2-factor Authentication with LDAP Authorization VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

21 Oracle Special Services (ERP) 2-factor Cert AuthN and LDAP AuthZ Main UVa Network S4S4 S2S2 S3S3 SnSn VPN Concentrators Firewalls LDAP AuthZ Servers INOUT Normal User OSS User S1S1

22 Some References  UVa Wireless LAN site  UVa PKI Site  UVa VPN Sites  HEPKI-TAG PKI-Lite

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.