Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Wireless LAN Security

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Wireless LAN Security"— Presentation transcript:

1 Implementing Wireless LAN Security

2 Objectives List wireless security solutions
Tell the components of the transitional security model Describe the personal security model List the components that make up the enterprise security model

3 Wireless Security Solutions
IEEE a and b standards included WEP specification Vulnerabilities quickly realized Organizations implemented “quick fixes” Did not adequately address encryption and authentication IEEE and Wi-Fi Alliance started working on comprehensive solutions IEEE i and Wi-Fi Protected Access (WPA) Foundations of today’s wireless security

4 WEP2 Attempted to overcome WEP limitations by adding two new security enhancements WEP key increased to 128 bits Kerberos authentication User issued “ticket” by Kerberos server Presents ticket to network for a service Used to authenticate user No more secure than WEP Collisions still occur New dictionary-based attacks available

5 Dynamic WEP Solves weak IV problem by rotating keys frequently
More difficult to crack encrypted packet Uses different keys for unicast and broadcast traffic Unicast WEP key unique to each user’s session Dynamically generated and changed frequently Broadcast WEP key must be same for all users on a particular subnet and AP

6 Dynamic WEP (continued)
B Should be B Should be A

7 Dynamic WEP (continued)
Can be implemented without upgrading device drivers or AP firmware No-cost and minimal effort to deploy Does not protect against man-in-the-middle attacks Susceptible to DoS attacks

8 IEEE 802.11i Provides solid wireless security model
Robust security network (RSN) Addresses both encryption and authentication Encryption accomplished by replacing RC4 with a block cipher Manipulates entire block of plaintext at one time Block cipher used is Advanced Encryption Standard (AES) Three step process Second step consists of multiple rounds of encryption

9 IEEE i (continued)

10 IEEE i (continued) IEEE i authentication and key management is accomplished by IEEE 802.1x standard Implements port security Blocks all traffic on port-by-port basis until client authenticated using credentials stored on authentication server Key-caching: Stores information from a device on the network, for faster re-authentication (In the case when a user roams away and returns) Pre-authentication: Allows a device to become authenticated to an AP before moving to it (Current AP will forward authentication info to the roamed-to AP

11 IEEE i (continued)

12 Wi-Fi Protected Access (WPA)
Subset of i that addresses encryption and authentication Temporal Key Integrity Protocol (TKIP): Replaces WEP’s encryption key with 128-bit per-packet key Dynamically generates new key for each packet Prevents collisions Authentication server can use 802.1x to produce unique master key for user sessions Creates automated key hierarchy and management system

13 Wi-Fi Protected Access (continued)
Message Integrity Check (MIC): Designed to prevent attackers from capturing, altering, and resending data packets Replaces CRC from WEP CRC does not adequately protect data integrity Authentication accomplished via IEEE 802.1x or pre-shared key (PSK) technology PSK passphase serves as seed for generating keys

14 Wi-Fi Protected Access (continued)
Message Integrity Check (MIC)

15 Wi-Fi Protected Access 2 (WPA2)
Second generation of WPA security Based on final IEEE i standard Uses AES for data encryption Supports IEEE 802.1x authentication or PSK technology Allows both AES and TKIP clients to operate in same WLAN (This is useful is case of having legacy devices that can not support AES).

16 Summary of Wireless Security Solutions
Wi-Fi Alliance categorizes WPA and WPA2 by modes that apply to personal use and to larger enterprises Security timeline

17 Summary of Wireless Security Solutions (continued)
Wi-Fi modes AES 802.1x Wireless security solutions

18 Transitional Security Model
Transitional wireless implementation Should be temporary Until migration to stronger wireless security possible Should implement basic level of security for a WLAN Including authentication and encryption

19 Authentication: Shared Key Authentication
Uses WEP keys Networks that support multiple devices should use all four keys Same key should not be designated as default on each device

20 Authentication: SSID Beaconing
Turn off SSID beaconing by configuring APs to not include it Beaconing the SSID is default mode for all APs Good practice to use cryptic SSID Should not provide any information about the location or type of equipment to attackers

21 Authentication: MAC Address Filtering

22 WEP Encryption Although vulnerabilities exist, should be turned on if no other options for encryption are available Use longest WEP key available May prevent script kiddies or “casual” eavesdroppers from attacking Transitional security model

23 Personal Security Model
Designed for single users or small office home office (SOHO) settings Generally 10 or fewer wireless devices Two sections: WPA: Older equipment WPA2: Newer equipment

24 WPA Personal Security: PSK Authentication
Uses passphrase (PSK) that is manually entered to generate the encryption key PSK used a seed for creating encryption keys Key must be created and entered in AP and also on any wireless device (“shared”) prior to (“pre”) the devices communicating with AP

25 WPA Personal Security: TKIP Encryption
TKIP is a substitute for WEP encryption Fits into WEP procedure with minimal change Device starts with two keys: 128-bit temporal key 64-bit MIC Three major components to address vulnerabilities: MIC IV sequence TKIP key mixing TKIP required in WPA

26 WPA Personal Security: TKIP Encryption (continued)
TKIP/MIC process

27 WPA2 Personal Security: PSK Authentication
PSK intended for personal and SOHO users without enterprise authentication server Provides strong degree of authentication protection PSK keys automatically changed (rekeyed) and authenticated between devices after specified period of time or after set number of packets transmitted (rekey interval) Employs consistent method for creating keys Uses shared secret entered at AP and devices Random sequence of at least 20 characters or 24 hexadecimal digits

28 WPA2 Personal Security: AES-CCMP Encryption
WPA2 personal security model encryption accomplished via AES AES-CCMP: Encryption protocol in i CCMP based on Counter Mode with CBC-MAC of AES encryption algorithm Cipher Block Chaining-Message Authentication Code CBC-MAC provides data integrity AES processes blocks of 128 bits Cipher key length can be 128, 192 and 256 bits Number of rounds can be 10, 12, and 14

29 WPA2 Personal Security: AES-CCMP Encryption (continued)
AES encryption/decryption computationally intensive Better to perform in hardware Personal security model

30 Enterprise Security Model
Most secure level of security that can be achieved today for wireless LANs Designed for medium to large-size organizations Intended for setting with authentication server Like personal security model, divided into sections for WPA and WPA2 Additional security tools available to increase network protection

31 WPA Enterprise Security: IEEE 802.1x Authentication
Uses port-based authentication mechanisms Network supporting 802.1x standard should consist of three elements: Supplicant: Wireless device which requires secure network access Authenticator: Intermediary device accepting requests from supplicant Can be an AP or a switch Authentication Server: Accepts requests from authenticator, grants or denies access

32 WPA Enterprise Security: IEEE 802.1x Authentication (continued)
802.1x protocol

33 WPA Enterprise Security: IEEE 802.1x Authentication (continued)
Supplicant is software on a client implementing 802.1x framework Authentication server stores list of names and credentials of authorized users Remote Authentication Dial-In User Service (RADIUS) typically used Allows user profiles to be maintained in central database that all remote servers can share

34 WPA Enterprise Security: IEEE 802.1x Authentication (continued)
802.1x based on Extensible Authentication Protocol (EAP) Several variations: EAP-Transport Layer Security (EAP-TLS) Lightweight EAP (LEAP) EAP-Tunneled TLS (EAP-TTLS) Protected EAP (PEAP) Flexible Authentication via Secure Tunneling (FAST) Each maps to different types of user logons, credentials, and databases used in authentication

35 WPA Enterprise Security: TKIP Encryption
TKIP is a “wrapper” around WEP Provides adequate encryption mechanism for WPA enterprise security Dovetails into existing WEP mechanism Vulnerabilities may be exposed in the future

36 WPA2 Enterprise Security: IEEE 802.1x Authentication
Enterprise security model using WPA2 provides most secure level of authentication and encryption available on a WLAN IEEE 802.1x is strongest type of wireless authentication currently available Wi-Fi Alliance certifies WPA and WPA2 enterprise products using EAP-TLS (Transport Layer Security)

37 WPA2 Enterprise Security: AES-CCMP Encryption
AES: Block cipher that uses same key for encryption and decryption Bits encrypted in blocks of plaintext Calculated independently block size of 128 bits Three possible key lengths: 128, 192, and 256 bits WPA2/802.11i uses128-bit key length Includes four stages that make up one round Each round is iterated 10 times

38 WPA2 Enterprise Security: AES-CCMP Encryption (continued)
Enterprise security model

39 Other Enterprise Security Tools: Virtual Private Network (VPN)
Virtual private network (VPN): Uses a public, unsecured network as if it were private, secured network Two common types: Remote-access VPN: User-to-LAN connection used by remote users Site-to-site VPN: Multiple sites can connect to other sites over Internet VPN transmissions are achieved through communicating with endpoints

40 Other Enterprise Security Tools: Virtual Private Network (continued)
Endpoint: End of tunnel between VPN devices Can local software, dedicated hardware device, or even a firewall VPNs can be used in WLAN setting Tunnel though WLAN for added security Enterprise trusted gateway: Extension of VPN Pairs of devices create “trusted” VPN connection between themselves Can protect unencrypted packets better than a VPN endpoint

41 Other Enterprise Security Tools: Wireless Gateway
AP equipped with additional functionality Most APs are wireless gateways Combine functionality of AP, router, network address translator, firewall, and switch On enterprise level, wireless gateway may combine functionality of a VPN and an authentication server Can provide increased security for connected APs

42 Other Enterprise Security Tools: Wireless Intrusion Detection System (WIDS)
Intrusion-detection system (IDS): Monitors activity on network and what the packets are doing May perform specific function when attack detected May only report information, and not take action Wireless IDS (WIDS): Constantly monitors RF frequency for attacks Based on database of attack signatures or on abnormal behavior Wireless sensors lie at heart of WIDS Hardware-based have limited coverage, software-based have extended coverage

43 Other Enterprise Security Tools: Captive Portal
Web page that wireless users are forced to visit before they are granted access to Internet Used in one of the following ways: Notify users of wireless policies and rules Advertise to users specific services or products Authenticate users against a RADIUS server Often used in public hotspots

44 Summary IEEE i and Wi-Fi Protected Access (WPA), have become the foundations of today’s wireless security Dynamic WEP attempts to solve the weak initialization vector (IV) problem by rotating the keys frequently, making it much more difficult to crack the encrypted packet The IEEE i standard provided a more solid wireless security model, such as the block cipher Advanced Encryption Standard (AES) and IEEE 802.1x port security

45 Summary (continued) WPA is a subset of i and addresses both encryption and authentication The transitional security model uses shared key authentication, turning off SSID beaconing, and implementing MAC address filtering The personal security model is designed for single users or small office home office (SOHO) settings of generally 10 or fewer wireless devices and does not include an authentication server

46 Summary (continued) The enterprise security model is intended for settings in which an authentication server is available; if an authentication server is not available the highest level of the personal security model should be used instead Additional security tools that can supplement the enterprise security model to provide even a higher degree of security include virtual private networks, wireless gateways, wireless intrusion detection systems (WIDS), and captive portals

Download ppt "Implementing Wireless LAN Security"

Similar presentations

Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Similar presentations

Ads by Google