So whats the problem? WEP is a euphemism –Wired –Equivalent –Privacy Actually, its a lie –It isnt equivalent to wired privacy at all! –How can you secure the air? Thus: WEPs v.poor http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
WLAN Security Challenges Unsecured WLAN Most wireless LANs are unsecured mailt o:bo ss@ com pany. tld mailto:firstname.lastname@example.org WLAN Access Point Company Servers Mobile Employee Evil Hacker
Other 802.11 Challenges Access Points are dim! Key Management (!!!!) –Manual update = never changed! Access Control with MAC address filtering –= NO SECURITY! Neither is scalable Authentication Authorization Data Protection Audit
VPNs Pros –Familiarity –Hardware Independent –Proven Security Cons –Lacks user transparency –Only user logon (not computer) –Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop –No reconnect on resume from standby –Complex network structure
VPNs More Cons –No protection for WLAN –Bottleneck at VPN devices –Higher management & hardware cost –Prone to disconnection Yet more cons! (non- MS VPNs) –3 rd party licensing costs –Client compatibility –Many VPN auth schemes (IPsec Xauth) are as bad as WEP!
PEAP encapsulation 1. 1. Server authenticates to client 2. 2. Establishes protected tunnel (TLS) 3. 3. Client authenticates inside tunnel to server No cryptographic binding between PEAP tunnel and tunneled authN method Fix: constrain client (in GPO) to trust only a specific corporate root CA –Foils potential MitM attacks
802.1X over 802.11 Supplicant Authenticator Authentication Server 802.11 association EAPOL-start EAP-request/identity EAP-response/identityRADIUS-access-request EAP-requestRADIUS-access-challenge EAP-response (credentials) RADIUS-access-request EAP-successRADIUS-access-accept Access allowed EAPOW-key (WEP) Gotta get on! Calculating this guys key… Accessblocked Calculating my key… (Wow I just dont understand this new maths!)
Session Summary Windows XP has great wireless security features Theres extensive prescriptive guidance available from our website Dont be scared of wireless!
Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Check out Security360 http://www.microsoft.com/seminar/events/series/mikenash.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance
Resources Microsoft Wi-Fi Page: http://www.microsoft.com/wifihttp://www.microsoft.com/wifi The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/http://www.drizzle.com/~aboba/IEEE/ Intercepting Mobile Communications: The Insecurity of 802.11 http://www.drizzle.com/~aboba/IEEE/wep-draft.zip http://www.drizzle.com/~aboba/IEEE/wep-draft.zip Fluhrer, Mantin, Shamir WEP Paper: http://www.crypto.com/papers/others/rc4_ksaproc.pdf http://www.crypto.com/papers/others/rc4_ksaproc.pdf WiFi Planet: http://www.wi-fiplanet.com/http://www.wi-fiplanet.com/ Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) http://www.microsoft.com/technet/security/guidance/peap_0.mspxhttp://www.microsoft.com/technet/security/guidance/peap_0.mspx Microsoft Solution for Securing Wireless LANs with Certificates http://www.microsoft.com/technet/security/prodtech/win2003/pkiwire/swlan.mspx Wifi for SOHO Environments http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx
Credits Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I borrowed several of their slides!