Presentation is loading. Please wait.

Presentation is loading. Please wait.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch."— Presentation transcript:

1 MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch Peter Mozdzierz Greg Schrader June 2007

2 MITP | Master of Information Technology Program Outline Scenario Solution Solution Rationale Concerns

3 MITP | Master of Information Technology Program Scenario Deploy a wireless LAN infrastructure Provide coverage for the following areas of a manufacturing environment: –Office –Shop floor Security goals: –protect data confidentiality and integrity –authenticate and authorize each user –provide scalability and central manageability

4 MITP | Master of Information Technology Program Solution Hardware purchased: –8 Cisco 1200 Access Points (enterprise grade) Assigned different channels to minimize interference Assigning use of only channels 1, 6, and 11 minimizes interference by maximizing distance between carrier frequencies –Cisco 802.11 b/g computer hardware PCI adapters and PCMCIA cards

5 MITP | Master of Information Technology Program Solution 14 overlapping (staggered) channels (11 in the U.S.) Center frequencies are separated by 5 MHz 2007 MITP 413 Wireless Technology - Michael L. Honig

6 MITP | Master of Information Technology Program Solution Security considerations: –Encryption Algorithm mechanism –Message Integrity mechanism –Authentication Framework mechanism –Authentication Algorithm mechanism

7 MITP | Master of Information Technology Program Wi-Fi Protected Access (WPA) Flaws in WEP (Wired Equivalent Privacy) known since January 2001 - flaws include weak encryption (keys no longer than 40 bits), static encryption keys, lack of key distribution method. In April 2003, the Wi-Fi Alliance introduced an interoperable security protocol known as WiFi Protected Access (WPA), based on draft 3 of the IEEE 802.11i amendment. WPA was designed to be a replacement for WEP networks without requiring hardware replacements, using a subset IEEE 802.11i amendment. WPA provides stronger data encryption (weak in WEP) and user authentication (largely missing in WEP).

8 MITP | Master of Information Technology Program WPA Security Enhancements WPA includes Temporal Key Integrity Protocol (TKIP) and 802.1x mechanisms. The combination of these two mechanisms provides dynamic key encryption and mutual authentication TKIP adds the following strengths to WEP: –48-bit initialization vectors, use one-way hash function instead of XOR –Per-packet key construction and distribution: WPA automatically generates a new unique encryption key periodically for each client. In fact, WPA uses a unique key for each 802.11 frame. This avoids the same key staying in use for weeks or months as they do with WEP –Message integrity code: guard against forgery attacks.

9 MITP | Master of Information Technology Program Solution

10 MITP | Master of Information Technology Program Message Integrity Solution Using TKIP-MIC (message integrity check) MIC ensures data frames have not been tampered with and authenticity of source addresses –Also prevents WEP reuse 8 byte field placed between data portion of 802.11 frame and 4 byte ICV (integrity Check Value) protecting both payload and header

11 MITP | Master of Information Technology Program WPA2 In July 2004, the IEEE approved the full IEEE 802.11i specification, which was quickly followed by a new interoperability testing certification from the WiFi Alliance known as WPA2. Strong encryption and authentication for infrastructure and ad- hoc networks (WPA1 is limited to infrastructure networks) Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the AES as an alternative to the TKIP protocol –AES is the equivalent of the RC4 algorithm used by WPA. –CCMP is the equivalent of TKIP in WPA. Changing even one bit in a message produces a totally different result. CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection

12 MITP | Master of Information Technology Program WPA2 TKIP was designed as an interim solution for wireless security, with the goal of providing sufficient security for 5 years while organizations transitioned to the full IEEE 802.11i security mechanism. As of March 2006, the WPA2 certification became mandatory for all new equipment certified by the Wi-Fi Alliance, ensuring that any reasonably modern hardware will support both WPA1 and WPA2.

13 MITP | Master of Information Technology Program Authentication Solution Facilitates authentication messages sent between AP’s and clients 802.1x authentication used –Protocol resides at layer 2 - supports EAP (extensible authentication protocol) –Provides centralized policy control with timeout triggers AP’s blocked until authentication process complete RADIUS ( Remote Access Dial-In User Service) server used –Low deployment complexity

14 MITP | Master of Information Technology Program Authentication Solution

15 MITP | Master of Information Technology Program Authentication Solution Authentication Algorithm –Validates each users network access credentials –RADIUS server stores strong passwords 25 alphanumeric characters Non-dictionary phrases –Passwords encrypted and stored in users wireless profiles –Cisco’s LEAP (lightweight extensible authentication protocol) used Allows for clients to re-authenticate frequently

16 MITP | Master of Information Technology Program Solution

17 MITP | Master of Information Technology Program Solution Additional security –MAC address authentication –Valid addresses authenticated against list in RADIUS server –AP’s also possess a copy of users, passwords and valid MAC addresses MAC and IP address spoofing is very difficult with 802.11X implementations

18 MITP | Master of Information Technology Program Concerns LEAP allows clients to acquire a new WEP key that does not expire - could be hacked –Considered minimal risk in this case Employees installing their own WLAN devices –AP’s configured to collect rogue SSID info DoS attacks could occur against AP’s –Alarms configured to observe flooding behavior –Logs track details of usage and are reviewed regularly –Telnet disabled in favor of SSH

19 MITP | Master of Information Technology Program Wireless IDS is not installed –WIDS understands data level patterns / signatures (like wired IDS) and also RF signatures of attacks –Current hardware does not include IDS At the time of purchase, software IDS was not an option –Newer versions of Cisco AP’s include IDS capability AP’s are upgradeable (as of 2005) Firmware upgrade would install software wireless IDS Concerns

20 MITP | Master of Information Technology Program Questions? Other than Ron…

21 MITP | Master of Information Technology Program Other EAP EAP-MD5 LEAP (Lightweight EAP) –CISCO authentication that provides mutual authentication and dynamic WEP key generation EAP-TLS (Transport Layer Security) –offers full authentication consistent with PKI public/private keys, PKI and digital certificates –Needs client certificate in order to authenticate client –Users login from different computers in coffee shops –Users are more familiar with the idea of passwords. Certificates may require some training.

22 MITP | Master of Information Technology Program Other EAPs EAP-PEAP and EAP-TTLS –Uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator –Establish a strongly encrypted "outer" TLS tunnel in stage one and then exchange authentication credentials (inner EAP) through an "inner" method in stage two. –Plus, as a result of authentication, session keys are distributed to enable data privacy between client and access point.

23 MITP | Master of Information Technology Program Solution

24 MITP | Master of Information Technology Program Solution Rationale WEP encryption and static-WEP key vulnerabilities are patched with 802.11X protocols Authentication vulnerabilities minimized by use of strong, non-dictionary passwords Cisco TKIP protocol preferred over WPA (Wi-Fi Protected Access) –TKIP session key rotation is dynamic –Changes every 4 hours and 40 minutes

Download ppt "MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch."

Similar presentations

IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Similar presentations

Ads by Google