Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004 Bluesocket, Inc. Secure Mobility ™ Wireless Security: Issues and Solutions Mike Brockney Bluesocket www.bluesocket.com.

Published byReynold Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2004 Bluesocket, Inc. Secure Mobility ™ Wireless Security: Issues and Solutions Mike Brockney Bluesocket www.bluesocket.com."— Presentation transcript:

1 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless Security: Issues and Solutions Mike Brockney Bluesocket www.bluesocket.com

2 © 2004 Bluesocket, Inc. Secure Mobility ™ Agenda  WLAN Security and Management Requirements  WLAN Challenges  WLAN security standards –WEP, WPA, 802.11i  VPNs and WLANs  Evolution of WLAN deployment model

3 © 2004 Bluesocket, Inc. Secure Mobility ™ A little Wi-fi related joke:

4 © 2004 Bluesocket, Inc. Secure Mobility ™ About Bluesocket…

5 © 2004 Bluesocket, Inc. Secure Mobility ™ WLAN Management & Security Requirements  Access Control –Authentication –Authorization –Airlink Privacy –Physical Security  Data is more dense –Need to manage bandwidth –Avoid unnecessary encryption overhead –Don’t allow bandwidth “hogs”  Imperative for Interoperability –Multiple devices: laptops, PDAs, scanners, phones, networking vendors’ appliances –Different radio protocols (802.11 alphabet soup)  Need for simple management –Single Web-based login –Transparent login where possible –Guest / Visitor Access –Client software maintenance at a minimum  Secure Mobility™ and Policy-based networks –Voice over WLAN will be widely used

6 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless LAN Challenges – Minimal security and management in APs No Bandwidth Management or QoS Stop or Go - Same Access For All Visitor or Employee or Contractor (Policy Management) Weak Security No True Mobility

7 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless LAN Challenges – Rogue APs  Employee brings an AP to work and simply plugs it in, opening your network to anyone within radio distance  Malicious user attaches an AP to the network to allow access  Attacker positions an AP near the building in an attempt to have a legitimate user associate with it  AirMagnet, AirDefense, Wavelink can detect and alert in real-time  Cisco, Proxim/Orinoco and others are now building Rogue Detection into standard APs

8 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless LAN Challenges – Emerging 802.11 devices

9 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless LAN Challenges – Network Authentication 802.1x Admin PPTP Executive IPsec Finance Clear Visitor ACS LDAP Radius NT Domain

10 © 2004 Bluesocket, Inc. Secure Mobility ™ Wireless LAN Challenges – Which standards?  The “Alphabet Soup” of 802.11 standards (b, a, g, h, i, e, f, 1x) and the need to support other wireless interfaces such as Bluetooth on PDAs brings upgrade and compatibility challenges ? ? Solutions must be ‘agnostic’ to support current and future standards Which protocol? Which air interface? Which vendor?

11 © 2004 Bluesocket, Inc. Secure Mobility ™ WEP Security – Wired Equivalent Privacy  Available in all APs and wireless cards  Available in many different key lengths  Uses a static key to encrypt data  Good for home use  Better than no security at all  Can be difficult to manage keys  Encryption algorithm has been compromised

12 © 2004 Bluesocket, Inc. Secure Mobility ™ WEP Security – Wired Equivalent Privacy  A series of academic papers exposed serious flaws in WEP– the security system built into the 802.11b standard.  Rapid passive attack was first described in July 2001by Fluhrer, Mantin & Shamir.  AT&T Labs team successfully implemented the attack and concluded that WEP is “totally insecure”.  In August 2001, the Airsnort program was released on the Web. http://airsnort.sourceforge.net/

13 © 2004 Bluesocket, Inc. Secure Mobility ™ 802.1x Background  802.1x is an IEEE standard –Originally designed for Port Authentication in wired networks –IEEE 802.11 has chosen to use 802.1x to support access authentication in WLANs (June 2001)  Enables authentication and key management for WLANs –Dynamic WEP encryption designed to overcome issues with WEP  Augmented to use Upper Layer Authentication Protocols (ULAPs) as a framework for authentication –An EAP is an implementation –802.1x originated as a Point-to-Point Protocol (PPP) authentication scheme along with RADIUS –Implementing EAP methods in mobile devices requires modifications/additions to the operating system

14 © 2004 Bluesocket, Inc. Secure Mobility ™ 802.1X & EAP 802.1X defines EAPOL (Extensible Authentication Protocol Over LAN) Provides centralized authentication and dynamic key exchange EAP packets carried at the MAC layer, embed RADIUS commands Different EAP types deliver different authentication techniques Campus Network Supplicant EAPOLRADIUS EAP- (TLS, TTLS, PEAP, LEAP) Authentication Server Authenticator

15 © 2004 Bluesocket, Inc. Secure Mobility ™ 802.1x: EAP Methods  There is no “standard” EAP, but several competing protocols –LEAP, MD5, TTLS, TLS, PEAP, SRP, SIM, AKA –The same EAP method needs to be supported on the client device and Authentication Server  EAP Methods can be sorted into 3 approaches –Password based (can be open to dictionary attacks) –Digital Certificate based (cumbersome to set-up and manage) –Token Based  Early Entries into the field were LEAP, TLS (Mutual Authentication) and TTLS (Digital Certificate for Server-side Authentication)  Emerging Leaders: –PEAP (Microsoft, Cisco and RSA), TTLS (Funk and Certicom)  No specific EAP for PDA clients (PocketPC2002 or Palm), Wi-Fi Phones (SpectraLink, etc.) or Apple devices

16 © 2004 Bluesocket, Inc. Secure Mobility ™ PEAP (Protected Extensible Authentication Protocol)  Microsoft has started shipping 802.1x client with PEAP –Built into Windows XP SP1 –Released a PEAP client for Windows 2000 in November 2002 –No support yet for other OS’ (’98, ME)  WEP keys to supplicant protected by ‘session key’ from RADIUS server –At a configurable interval, updated key sent to authenticated PC  Using one vendor’s EAP method could lock you into using certain clients and devices

17 © 2004 Bluesocket, Inc. Secure Mobility ™ Is 802.1x “Good Enough”?  Most implementations require vendor specific APs/NICs/AAA servers –Interoperability is difficult in multi-vendor environments –There is no consensus on a “standard” EAP method or operating mode (TLS/PEAP in WinXP SP1 only) –Same problem as proprietary IPsec clients for guest access  Client software is required to run 802.1x, involving the need to upgrade all client devices –Only some Windows versions provide support; not on other devices (PDA’s, Apple MACs, Scanners, etc., etc.) –No visitor, non-802.1x guest user access  Underlying privacy is based on RC4 with rapid re-keying, requiring extensions to APs  Installed base of APs may require forklift upgrades –Potential high cost of deployment--- as each AP must support the final 802.11 standard and be properly configured  Access is all or nothing (either on or off the network) –No provisions for prioritization or bandwidth control by class of user

18 © 2004 Bluesocket, Inc. Secure Mobility ™ Is WPA a Step in the Right Direction? Yes  Wi-Fi Protected Access (WPA) –New terminology announced by the Wi-Fi Alliance (formally WECA) to describe 802.1x with TKIP and MIC –TKIP with WEP represents a significant air-link privacy improvement –Subset of the 802.11i security standard –802.11i will use AES in a mode to be determined later  Issues with WPA –Requires a 802.1x client/driver on all end-user devices –Limited device support –Variety of methods (LEAP, PEAP, TLS, TTLS, MD5) Which will be widely used or accepted as standard? –Does not provide a solution for securing sensitive traffic with alternate type technologies and protocols (e.g. IPSec, PPTP, SSL)

19 © 2004 Bluesocket, Inc. Secure Mobility ™ 802.11i (a.k.a. WPAv2) IEEE 802.11TGi Stronger encryption Makes sense to plan for 802.11i Will support secure, fast, reliable, roaming For Voice over WLAN But not all details are settled upon yet Beware: You may have to upgrade a lot of equipment!

20 © 2004 Bluesocket, Inc. Secure Mobility ™ Is WPA/802.11i Good Enough? Depends On Your Needs FeatureWPA/80211iMissing Parts Authentication√ Dynamic WEP Encryption√ Alternate Encryption (IPSec, PPTP, SSL)√ Access Control and Policy Management√ Guest/Visitor Access (Support for “client-free” devices) √ Bandwidth Management√ Support for any mobile device√ Support for Secure Roaming√ Intrusion Detection√ Rogue Access Point Detection√

21 © 2004 Bluesocket, Inc. Secure Mobility ™ Policy Enforcement and Compliance: Healthcare  Enforce network policies based on user rights  Examples: –Nurses: Given HTTPS access to patient databases only –Doctors: E-mail and Web access with IPSec encryption for HIPAA compliance –Contractors: Access only to their work servers –Patients/Public/Guests: Access to Internet only, with limited bandwidth

22 © 2004 Bluesocket, Inc. Secure Mobility ™ Wi-Fi Security Using IPSec Requires wireless users to authenticate before gaining network access IETF standard - Layer 3 authentication & encryption Familiar, reliable, trustworthy Challenges: No Layer 2 protection mechanisms IPSec clients may not be available for all handheld devices Can be difficult to manage and to scale Ensure the solution provides cross-subnet roaming Campus Network IPSec Termination Client software IPSec

23 © 2004 Bluesocket, Inc. Secure Mobility ™ WLANs Yesterday: External to Corporate Network Wireless traffic untrusted Access points placed outside the firewall Local wireless users placed on a separate network Internet Corporate network firewall Wireless Network

24 © 2004 Bluesocket, Inc. Secure Mobility ™ WLANs Today: Integrated Within the Network Wireless traffic authenticated before accessing network Access points installed on the regular wired LAN Wireless users managed like wired users Internet Corporate network firewall Wireless Network

25 © 2004 Bluesocket, Inc. Secure Mobility ™ WLANs Tomorrow: Throughout the Network Wireless traffic authenticated before accessing network Access points installed on any LAN Wireless users managed like remote users Internet Corporate network Firewall / VPN

26 © 2004 Bluesocket, Inc. Secure Mobility ™ WLANs Tomorrow: Universal Access Regardless of Location Internet Corporate network Firewall / VPN One method for network authentication from any location One set of login credentials used for on campus and remote network access Provides appropriate level of security and eases end-user adoption The login credentials used at work Are the same credentials used remotely

27 © 2004 Bluesocket, Inc. Secure Mobility ™ Recommendations 802.1x Strongly recommended if you’re using Layer 2 security Provides centralized management/policy control EAP Consider EAP-TLS if client certificates infrastructure is in place Avoid LEAP if standards are important (ASLEAP attack) If you have Microsoft kit, PEAP is built in IPSec If you chose IPSec be sure not to forgo mobility VLAN Deploy per-user VLAN policy if your network supports it Take the path of least resistance that meets your network needs

28 © 2004 Bluesocket, Inc. Secure Mobility ™ Bluesocket Future Directions  Continue to support standards – PEAP, TTLS, 802.11i  Add additional authentication methods to support customer needs –Have added PIN, Cosign, Certificate, use API for other methods  Continue to innovate around security and mobility –VLAN Mobility –More efficient traffic routing  Load Sharing to distribute load  More flexibility around login pages – by location/interface

29 © 2004 Bluesocket, Inc. Secure Mobility ™ Thank You…. Mike Brockney, SE Manager Bluesocket djuitt@bluesocket.com

Download ppt "© 2004 Bluesocket, Inc. Secure Mobility ™ Wireless Security: Issues and Solutions Mike Brockney Bluesocket www.bluesocket.com."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.
© 2003 Bluesocket, Inc. Proprietary and Confidential. Do not copy. Security, Management & Mobility of Wireless Networks (WLANs) Issues Approaches Solutions.

© 2003 Bluesocket, Inc. Proprietary and Confidential. Do not copy. Security, Management & Mobility of Wireless Networks (WLANs) Issues Approaches Solutions.
CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.

Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.
KIRAN CHAMARTHI NETWORK SECURITY

KIRAN CHAMARTHI NETWORK SECURITY
Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.

Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google