Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.

Published byRuth Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs."— Presentation transcript:

1 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs WNBU Technical Marketing

2 2 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with 802.11 today 802.1X for 802.11 Deployment of new security feature-set Standards update/Pointers Questions ?

3 3 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication SSIDs in 802.11 Association Open Authentication Shared-key Authentication WEP/RC4 in 802.11 WEP encrypted frames

4 4 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Past Security Methods SSID (Service Set Identifier) Commonly used feature in Wireless LANs which provides a rudimentary level of security. Serves to logically segment the users and Access Points that form part of a Wireless subsystem. May be advertised or manually pre-configured at the station.

5 5 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - SSIDs in 802.11

6 6 350 Security Update 1/2001Cisco Company Confidential - Do not distribute SSID problem 32 ASCII character string Under 802.11, any client with a ‘NULL’ string will associate to any AP regardless of SSID setting on AP This is NOT a security feature!

7 7 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP- Association With 802.11 Client (user machine) Access Point Probe request on 11 channels; may include (broadcast) SSID Probe response including info not in spec, such as # clients, % load AP selection based on strength and quality of signal Wired Ethernet LAN Access Point

8 8 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - Open Authentication With 802.11 Client AP Authentication request Open Authentication Authentication response Open or Shared needs to be setup identically on both the Access Point and Client

9 9 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - WEP/RC4 in 802.11

10 10 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP – WEP Encrypted Frames

11 11 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - Shared-key Authentication With 802.11 Open or Shared needs to be setup identically on both the Access Point and Client Client AP Authentication request Shared-Key Authentication Challenge text packet Authentication response Encrypted challenge text packet

12 12 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with 802.11 today 802.1X for 802.11 Deployment of new security feature-set Standards Update/Pointers Questions ?

13 13 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Deployment issues with 802.11 today Lack of integrated User administration Integration with existing user administration tools required (RADIUS, LDAP-based directories) Identification via User-Name easier to administer than MAC address identification Usage accounting and auditing desirable Lack of Key management solution Static keys difficult to manage on clients, access points Proprietary key management solutions require separate user databases

14 14 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.11 Security Issues User loses wireless NIC, doesn’t report it Without user authentication, Intranet now accessible by attackers Without centralized accounting and auditing, no means to detect unusual activity Users who don’t log on for periods of time Users who transfer too much data, stay on too long Multiple simultaneous logins Logins from the “wrong” machine account With global keys, large scale re-keying required

15 15 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Comparison First-generation 802.11 Security Issues Vulnerability 802.11 w/per Packet IV Addition of keyed Integrity check 3DES instead of WEP/ RC4 802.11 w/MIC Kerb + DES ImpersonationVulnerable Fixed NIC theftVulnerable Fixed Brute force attack (40/56 bit key)Vulnerable FixedVulnerable Packet spoofingVulnerableFixedVulnerableFixed Rogue Access PointsVulnerable Fixed Disassociation spoofingVulnerableFixedVulnerableFixed Passive monitoringVulnerable Global keying issuesVulnerable Fixed Pre-computed dictionary attackImplementation Vulnerable Offline dictionary attackVulnerable

16 16 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with 802.11 today 802.1X for 802.11 Deployment of new security feature-set Standards Update/Pointers Questions ?

17 17 350 Security Update 1/2001Cisco Company Confidential - Do not distribute What Is 802.1X ? IEEE Standard in progress Port Based Network Access Control

18 18 350 Security Update 1/2001Cisco Company Confidential - Do not distribute General Description IEEE 802.1X Terminology Authenticator (e.g. Switch, Access Point) Supplicant Enterprise Network Semi-Public Network / Enterprise Edge Authentication Server RADIUSRADIUS EAP Over Wireless (EAPOW) EAP Over RADIUS PAE PAE Controlled port Uncontrolled port EAP Over LAN (EAPOL)

19 19 350 Security Update 1/2001Cisco Company Confidential - Do not distribute IEEE 802.1X Conversation Ethernet Laptop computer 802.1X Authenticator/Bridge Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Port connect Radius-Access-Accept Access allowed RADIUS EAPOL

20 20 350 Security Update 1/2001Cisco Company Confidential - Do not distribute IEEE 802.1X Over 802.11 Ethernet Access Point Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Association Radius-Access-Accept RADIUS EAPOW Laptop computer Wireless 802.11 802.11 Associate Access allowed EAPOW-Key (WEP)

21 21 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet exchange Start Authenticate Finish

22 22 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -1 EAPOL-Start Defined in IEEE 802.1X draft Purpose: Start the authentication process. EAP supplicant is ready for authenticator. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

23 23 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -2 EAP-Request/Identity EAP-Packet defined in 802.1X draft. EAP-Request/Identity defined in RFC2284. Purpose: Start the authentication process. Authenticator asks for supplicants Identity. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

24 24 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -3 EAP-Response/Identity EAP-Packet defined in 802.1X draft. EAP-Response/Identity defined in RFC2284. Purpose: Supplicant delivers its Identity. AP uses this to send the Radius-Access-Request. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

25 25 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Authenticate EAP-Request EAP-ResponseRadius-Access-Request Radius-Access-Challenge Authenticate sequence varies per authentication method Radius-Access-Request

26 26 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Authenticate Draft-ietf-radius-ext-07 describes encapsulating EAP in the radius protocol. Transport Level Security (TLS) described in RFC2246 EAP-TLS described in RFC2716 EAP-Request EAP-ResponseRadius-Access-Request Radius-Access- Challenge Radius-Access-Request

27 27 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -1 Radius-Access-Accept Contains MS-MPPE-Send-Key attribute per RFC2548. This WEP session key has already been delivered/derived by the supplicant in the authentication phase. It is delivered here to the AP. EAP-SuccessRadius-Access-Accept EAPOW-Key

28 28 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -2 EAP-Success Defined in IEEE 802.1X draft. Supplicant could turn WEP on (timing). EAP-SuccessRadius-Access-Accept EAPOW-Key

29 29 350 Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -3 EAPOW-Key Defined in IEEE 802.1X draft 5. Broadcast WEP key to the supplicant. EAPOW-Key gets sent without WEP since timing is not certain. The WEP broadcast keys are encrypted with the session key via software. EAP-SuccessRadius-Access-Accept EAPOW-Key Supplicant & Authenticator start using the WEP session key.

30 30 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Advantages of 802.1X for 802.11 Open, extensible and standards based. Enables interoperable user identification, centralized authentication, key management. Leverages existing standards: EAP (extensible authentication protocol), RADIUS. Compatible with existing roaming technologies, enabling use in hotels and public places. User-based identification. Dynamic key management. Centralized user administration. Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting. RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.

31 31 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Advantages of 802.1X for 802.11 - continued Extensible authentication support EAP designed to allow additional authentication methods to be deployed with no changes to the access point or client NIC RFC 2284 includes support for password authentication (EAP- MD5), One-Time Passwords (OTP) Windows 2000 supports smartcard authentication (RFC 2716) and Security Dynamics

32 32 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with 802.11 today 802.1X for 802.11 Deployment case study with new security features Standards Update Questions ?

33 33 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Cisco Security Framework EAP Layer Method Layer TLS Media Layer NDIS APIs EAP APIs PPP 802.3 802.11 LEAP GSS_API VPN 802.1X Backend AAA infrastructure CS-ACS2000 2.6, Third party EAP-Radius,Kerberos... Backend AAA infrastructure CS-ACS2000 2.6, Third party EAP-Radius, Kerberos... IKE EAP Layer NDIS APIs EAP Method Layer EAP LEAP Media Layer APIs 802.11

34 34 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Why LEAP ? Cisco Lightweight EAP (LEAP) Authentication type No native EAP support currently available on legacy operating systems EAP-MD5 does not do mutual authentication EAP-TLS (certificates/PKI) too intense for security baseline feature-set Quick support on multitude of host systems Lightweight implementation reduces support requirements on host systems Need support in backend for delivery of session key to access points to speak WEP with client

35 35 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Cisco LEAP deployment Ethernet EAP Access Point LEAP Radius Server Laptop computer with LEAP supplicant Wireless Network Logon Win 95/98 Win NT Win 2K Win CE MacOS Linux Backbon e Driver for OS x LEAP Authentication support Dynamic WEP key support Capable of speaking EAP Radius Cisco Secure ACS 2.6 Authentication database Can use Windows user database Radius DLL LEAP Authentication support MS-MPPE-Send-key support EAP extensions for Radius EAP Authenticator EAP-LEAP today EAP-TLS soon ….. Client/SupplicantAuthenticator Backend/Radius server

36 36 350 Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Client / Supplicant Support

37 37 350 Security Update 1/2001Cisco Company Confidential - Do not distribute EAP Support in Access Point

38 38 350 Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Support in Radius Server -1 Configuring the user database

39 39 350 Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Support in Radius Server -2 Configuring the NAS/AP

40 40 350 Security Update 1/2001Cisco Company Confidential - Do not distribute What Does the Radius Server Perform? Cont. Authentication Generates dynamic session key Sends session key to access point

41 41 350 Security Update 1/2001Cisco Company Confidential - Do not distribute What Does the AP Perform? Cont. On successful authentication, Send broadcast WEP key to client. Maintain clients WEP key. Start running WEP with client. Distribute pre-auth.

42 42 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Future EAP Client Work ? Microsoft placing 802.11 EAP Native supplicant in, Win2K, WinCE What about other Microsoft OS’s? Win9x/WinNT (need LEAP) What about other OS’s? Linux, MacOS (need LEAP)

43 43 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Future Backend Work ? Support for Kerberos Promote EAP authentication types on backend servers Integrate with SSGs.. etc

44 44 350 Security Update 1/2001Cisco Company Confidential - Do not distribute What About Edge Devices Support for 802.1X Authenticator ? ELoB Switches. Catalyst 6k/5k/4k... DSBU Switches. Catalyst 29xx/35xx...

45 45 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with 802.11 today 802.1X for 802.11 Deployment of new security feature-set Standards Update/Pointers Questions ?

46 46 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Standards Update 802.1X Current Status Draft 8 : http://www.manta.ieee.org/groups/802/1/pages/802.1x.html Scheduled for letter ballot, January 2001 802.11 Security TG e (Task Group E) Working on security and QoS extensions to the MAC 802.11 layer TG-e Security sub-group chair : Dave Halasz (Cisco- Aironet Engineering) Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline security document.

47 47 350 Security Update 1/2001Cisco Company Confidential - Do not distributePointers Whitepaper : Security for Next Generation Wireless LANs v1.1 http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.msw IEEE 802.1X http://grouper.ieee.org/groups/802/1/pages/802.1x.html RADIUS http://www.ietf.org/rfc/rfc2138.txt http://www.ietf.org/rfc/rfc2139.txt http://www.ietf.org/rfc/rfc2548.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt EAP http://www.ietf.org/rfc/rfc2284.txt http://www.ietf.org/rfc/rfc2716.txt

48 48 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap 1st-generation security for 802.11 WLANs Deployment issues with 802.11 today 802.1X for 802.11 Standards Update Questions ?

49 49Presentation_ID © 2000, Cisco Systems, Inc.

Download ppt "1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
1 © 2000, Cisco Systems, Inc. Wireless LAN Roadmap: Performance and Hardware Features 1.

1 © 2000, Cisco Systems, Inc. Wireless LAN Roadmap: Performance and Hardware Features 1.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
802.11 security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft.

security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
December 17, 2002 1 Wi-Fi Mark Faggiano GBA 576. December 17, 20022 Purpose of the Project  I hear Wi-Fi, WLAN, 802.11 everywhere  What does it all.

December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Similar presentations

Ads by Google