Mod 8.1 – Security Cisco Fundamentals of Wireless LANs version 1.2

2 Overview The goals of network security are to maintain integrity, protect confidentiality, and ensure availability. The exponential growth of networking, including wireless technologies, has lead to increased security risks. Many of these risks are due to hacking, as well as improper uses of network resources. The specific weaknesses and vulnerabilities of WLANs will be covered. Security configuration for APs, bridges, and clients will be shown and explained.

Security Fundamentals

4 What is security? Security usually refers to ensuring that users can perform only the tasks that they are authorized to do and can obtain only the information that they are authorized to have.

5 AP: "Allow any SSID" Set Guest Mode SSID If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. The access point includes the guest SSID in its beacon. By default, the access point's default SSID, tsunami, is set to guest mode. However, to keep your network secure, you should disable the guest mode SSID on most access points. AP Default No Client SSID, but Associated!

6 AP: “Do NOT allow any SSID" Setting the Guest Mode SSID to NONE, will not allow clients that do not have and SSID to be able to associate. Remember, it’s not difficult for someone to get the SSID, so this should not be a security measure. The next step should be configuring WEP, WPA, or some other authentication/encryption on your AP. You cannot have the same SSID set as Guest Mode and authentication/encryption. Changed to NONE No Client SSID, NOT Associated!

7 Wired equivalent privacy (WEP) The IEEE standard includes WEP to protect authorized users of a WLAN from casual eavesdropping. The IEEE WEP standard specified a 40-bit key, so that WEP could be exported and used worldwide. Most vendors have extended WEP to 128 bits or more. When using WEP, both the wireless client and the access point must have a matching WEP key. WEP is based upon an existing and familiar encryption type, Rivest Cipher 4 (RC4). 128 bit WEP is sometimes referred to, and more accurately, as 104 bit WEP. Also, be sure Transmit Key numbers match, I.e. Key 1 on the both AP and ACU. AP ACU

8 Authentication and association Open Authentication and Shared Key Authentication are the two methods that the standard defines for clients to connect to an access point. The association process can be broken down into three elements known as probe, authentication, and association. This section will explain both authentication methods. State 1 Unauthenticated Unassociated State 2 Authenticated Unassociated State 3 Authenticated Associated Successful Authentication Successful Association DeauthenticationDisassociation Probe process Authentication process Association process

9 Open Authentication Open Authentication is basically a null authentication, which means there is no verification of the user or machine.

10 Open Authentication Typical Open Authentication on both AP and Client with No WEP keys

11 Open Authentication and WEP Remember there are three steps to Association: –Probe –Authentication –Association A client can associate with an AP, but use WEP to send the encrypted data packets. Authentication and data encryption are two different things. –Authentication – Is the client allowed to associate with this AP? –Encryption – Encrypts the data (payload) and ICV (Integrity Check Value) fields of the MAC, not the other fields. So a client could Associate with the AP, using Open Authentication (basically no authentication), but use WEP to encrypt the data frames sent after its associated.

12 Open Authentication and WEP In some configurations, a client can associate to the access point with an incorrect WEP key or even no WEP key. –The AP must be configured to allow this (coming). A client with the wrong WEP key will be unable to send or receive data, since the packet payload will be encrypted. Keep in mind that the header is not encrypted by WEP. Only the payload or data is encrypted. Associated but data cannot be sent or received, since it cannot be unencrypted.

13 Open Authentication - Optional WEP Encryption (AP) allows client to associate with AP. Cisco AP must have WEP Encryption set to Optional Association successful with any of these options on the client: –Matching WEP key –Non-matching WEP key –No WEP key

14 Authentication Process – Shared-Key Shared key requires the client and the access point to have the same WEP key. An access point using Shared Key Authentication sends a challenge text packet to the client. If the client has the wrong key or no key, it will fail this portion of the authentication process. The client will not be allowed to associate to the AP.

15 Authentication Process – Shared-Key (Review) Shared-key authentication uses WEP (Wired Equivalent Privacy) and can only be used on products that support WEP requires any stations that support WEP to also support shared- key authentication.

16 Authentication Process – Shared-Key (Review) WEP is an encryption algorithm, not a method of authentication. Shared-key authentication makes use of WEP, and therefore can only be used on APs and clients that implement WEP. However, requires that any stations implementing WEP also implement shared key authentication. Shared-key authentication requires that a shared key be distributed to stations before attempting authentication. Authentication Request with Challenge Text Authentication Response with Status Code Shared-key = RadiaPerlman

17 Authentication Process – Shared-Key (Review) The client: –Sets the Authentication Algorithm Number to 1 (shared-key) –Set Authentication Transaction Sequence Number to 1 The AP: –Sets the Authentication Algorithm Number to 1 (shared-key) –Set Authentication Transaction Sequence Number to 2 –Status Code set to 0 (Successful) –Challenge Text (later) The client: –Sets the Authentication Algorithm Number to 1 (shared-key) –Set Authentication Transaction Sequence Number to 3 –Challenge Text (later) The AP: –Sets the Authentication Algorithm Number to 1 (shared-key) –Set Authentication Transaction Sequence Number to 4 –Status Code set to 0 (Successful)

18 Authentication Process Authentication –Open-System –Shared-Key (WEP) Encryption –None –WEP or only

19 Authentication Process – Shared-Key ? next

20 Access Point Authentication Open Authentication—Allows your client adapter, regardless of its WEP settings, to authenticate and attempt to communicate with an access point. Open Authentication is the default setting. Shared Key Authentication—Allows your client adapter to communicate only with access points that have the same WEP key. This option is available only if Use Static WEP Keys is selected. In shared key authentication, the access point sends a known unencrypted "challenge packet" to the client adapter, which encrypts the packet and sends it back to the access point. The access point attempts to decrypt the encrypted packet and sends an authentication response packet indicating the success or failure of the decryption back to the client adapter. If the packet is successfully encrypted/decrypted, the user is considered to be authenticated.

21 Encryption Modes Indicates whether clients should use data encryption when communicating with the device. The three options are: None - The device communicates only with client devices that are not using WEP. WEP Encryption - Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP. If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits.

22 In Summary Client –Use Open Authentication on the client (does not use WEP, challenge transaction, during authentication). –Use WEP for Data Encryption. AP –Use Open Authentication –Use Mandatory WEP Encryption, Devices not using WEP are not allowed to communicate.

Configuring Basic WLAN Security

24 Basic WLAN security - Physical Access Most wireless access points are easily accessible. They are usually located near users and outside of locked rooms. This puts wireless access points at special risk for theft and for compromise by malicious users. Network monitoring can be used to determine when an access point goes off. Proper procedures will need to be followed to determine what happened to the equipment. Almost all wireless vendors publish the methods of resetting an access point using reset buttons or the console port.

25 Basic WLAN security - Console Administrator accounts and privileges should be setup properly. The console port should be password protected. Choose a secure password

26 Basic WLAN security - SSH Telnet is an insecure, unencrypted protocol. If at all possible, secure shell (SSH) should be used for all Command Line Interface (CLI) functions. Telnet and SSH should be password protected. For maximum security, disable Telnet and use only SSH. A SSH client is required on the management PC or workstation in order to connect to an AP running SSH. Several freeware programs are available such as PuTTY, Teraterm SSH, and SecureNetTerm.

27 Enabling protocol and MAC filters on APs Filtering can provide an additional layer of wireless security. Filters can be created to filter a protocol or IP port. Protocol filters prevent or allow the use of specific protocols through the access point. Individual protocol filters can be setup and enabled for one or more VLANs. MAC, Ethertype and IP filters can be used to filter wireless client devices, users on the wired LAN, or both

28 Securing clients and APs Encryption should always be used unless the WLAN is intended for guest access only! If the WLAN is intended for guest access only then it should be segmented from all production traffic (VLAN or DMZ/Internet access).

29 Open and Authentication See previous slides for examples. Open Auth. No WEP Key Open Auth. WEP = 1234 Open Auth. WEP = 4321 Open Auth. WEP = 1234 Associated Open Auth. No WEP Key Associated Open Auth. WEP = 1234 Associated

30 Event Log

31 Event Log

32 Event Log

33 Disable unneeded services It is important to disable or secure all unneeded services. If Cisco discovery protocol (CDP), domain name service (DNS), network time protocol (NTP), hypertext transfer protocol (HTTP), TFTP, SNMP, or Telnet are not used in the network, they should be disabled.

34 Using VPNs IP Security (IPSec) is a framework of open standards for ensuring secure private communication over IP networks. IPSec Virtual Private Networks (VPNs) use the services defined within IPSec to ensure confidentiality, integrity, and authenticity of data communications across networks such as the Internet. IPSec also has a practical application to secure WLANs. It does this by overlaying IPSec on top of wireless traffic. When deploying IPSec in a WLAN environment, an IPSec client is placed on every PC connected to the wireless network. The user is required to establish an IPSec tunnel and to route any traffic to the wired network.

VLANs

36 VLANs

37 VLANs

38 VLANs

39 Spanning tree Spanning tree is only needed when using wireless bridges. It should remain disabled for access points and repeaters, unless special circumstances exist in the network. The spanning-tree algorithm is used to prevent bridging loops. The algorithm computes available network paths and closes redundant paths, so that there is only one path between any pair of LANs on the network. Improper spanning tree settings can disable needed connections. From a security perspective, an attacker may be able to disable ports in a poorly configured network. Please review and understand spanning tree information when making configuration decisions.

40 Matching Client to AP

41 Matching Client to AP

42 Matching Client to AP

43 Matching Client to AP

44 Matching Client to AP

45 Matching Client to AP

46 Cisco Compliant TKIP Features - Temporal Key Integrity Protocol (TKIP) is a suite of algorithms surrounding WEP, designed to achieve the best possible security on legacy hardware build to run WEP. TKIP adds four new enhancements to WEP: 1.A per-packet key mixing function, to defeat weak key attacks. 2.A new IV sequencing discipline to detect replay attacks. 3.A cryptographic message integrity check (MIC) to detect forgeries such as bit flipping and altering of packet source and destination. 4.An extension of IV space, to virtually eliminate the need for a re- key.

47 Enable MIC - MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. WEP Encryption must be set to Mandatory for MIC to be enabled. Message integrity check

48 Enable Per Packet Keying - EAP authentication provides dynamic unicast WEP keys for client devices but uses static keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select in the Broadcast Key Change Frequency field. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices.

49 AP has WEP (Optional) and host not using WEP. Associated. Would not be Associated if WEP was Mandatory.

50

51

52

53

54

55 To configure the access point for WPA, follow these steps. 1. Setup the Encryption Manager –Enable Cipher for TKIP. –Clear the value in Key 1. –Set Encryption Key 2 as the Transmit Key. –Click the Apply-Radio# button.

56 2. Setup the SSID Manager Select the desired SSID from Current SSID List. Choose an appropriate authentication method, by which type of client cards used. If EAP worked prior to the addition of WPA, you should not require change.appropriate authentication method Enable key management. First choose Mandatory from the pulldown box, then check the box to choose WPA. Click Apply-Radio#

57 Verify This section provides information you can use to confirm your configuration works properly. Certain show commands are supported by the Output Interpreter Tool ( registered customers only), which allows you to view an analysis of show command output.Output Interpreter Tool registered show dot11 association - This command displays information about a specifically identified associated client. Verify that client negotiates Key Management as WPA and Encryption as TKIP.

58 The Association Table entry for a given client should also indicate Key Management as WPA and Encryption as TKIP. From the Association Table, click a givenMAC address for a client to see the details of the association for that client.