1 copyright © 2005, cisco systems, inc. all rights reserved. applying security principles to...
TRANSCRIPT
![Page 1: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/1.jpg)
1Copyright © 2005, Cisco Systems, Inc. All rights reserved.
Applying Security Principles to Networking Applications
Mark [email protected]
Dec 08, 2005
![Page 2: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/2.jpg)
222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
What is Security in Computer Development Projects
• What are you protecting
• Why are you protecting it
• From whom are you protecting it
• How are you going to protect it
• What is the cost of protecting it
![Page 3: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/3.jpg)
333Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wired Access Topology
V V
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
![Page 4: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/4.jpg)
444Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Topology
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
![Page 5: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/5.jpg)
555Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Topology
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
![Page 6: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/6.jpg)
666Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Security Complication
• Physical Access to Local Area Network no longer exists
– Anyone can intercept your conversations
– Anyone can utilize your network resources
![Page 7: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/7.jpg)
777Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Security Solution For Wireless Access
• Authentication
• Encryption
![Page 8: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/8.jpg)
888Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Typical Solution for Wireless Access
Internet
1) Where is Access Point
“MyAP”
2) I am here. Prove you know my secret
![Page 9: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/9.jpg)
999Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Typical Solution for Wireless Access
Internet
3) Here is my proof
4) OK. Here are session keys
![Page 10: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/10.jpg)
101010Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
So Whats The Problem?
• Wireless Access is a huge Consumer Market
• People are beoming concerned with Wireless Security
• My GrandMother cant use it
![Page 11: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/11.jpg)
111111Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
What Can We Do To Help
• Make it easy for Grandma to set up Wireless Security
![Page 12: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/12.jpg)
121212Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 1. Configure Security Parameters Automatically
Internet
When Access Point is booted 1st time:Configures Random Secure SSID
Configures Random WPA Shared Secret
Waits for Wireless Association on Secure SSID
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
![Page 13: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/13.jpg)
131313Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2.
• How Can We Transfer Security Parameters Securely?
![Page 14: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/14.jpg)
141414Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
SSID: Well Known SSID
Open Authentication
1) W
here i
s my A
cces
s
Point “
Well
Known S
SID”
2) H
ere
I am
. Com
e on in
![Page 15: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/15.jpg)
151515Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
SSID: Well Known SSID
Open Authentication 3)
Give
me S
ecurit
y
Param
eter
s
4) H
ere
They A
re
![Page 16: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/16.jpg)
161616Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
1) W
here i
s my A
cces
s
Point “
r@ndOm
55ID
”
2) I
am h
ere.
Pro
ve y
ou know m
y se
cret
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
![Page 17: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/17.jpg)
171717Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
3) H
ere i
s my p
roof
4) O
K. Her
e ar
e se
ssio
n key
s
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
![Page 18: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/18.jpg)
181818Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
1) Where is my Access
Point “Well Known SSID”
2) Here I am. Come on in
![Page 19: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/19.jpg)
191919Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
3) Give me Security
Parameters
4) Here they are
![Page 20: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/20.jpg)
202020Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
• What Authentication is possible given constraints
– something we know
– something we have
– something we are
– something we do
• If we can’t be sure, at least be safe
![Page 21: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/21.jpg)
212121Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
Wher
e is m
y Acc
ess
Point “
Well
Known S
SID”
Here
I am
. Com
e on in
Where is m
y
Access Point “Well
Known SSID”
Here I am. Com
e on in
![Page 22: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/22.jpg)
222222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
1) G
ive M
e Sec
urity
Param
eter
s
Hang o
n a s
ec
Give Me Security
Parameters
Unable to guarantee unique access
Access to all denied
![Page 23: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/23.jpg)
232323Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial 2 Attack
• Attacker just Associates and Listens
![Page 24: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/24.jpg)
242424Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Trial 3.
• Use Trial 2 Method for Authentication
• Use SSL for Encryption
![Page 25: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/25.jpg)
252525Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
So Whats The Problem with IPSec?
• Network Protection is a huge Consumer Market
• People are beoming concerned with Security and look to IPSec for help
• My GrandMother cant use it
![Page 26: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/26.jpg)
262626Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Network Address Translation
Internet
Local Area Network (LAN)
Wide Area Network (WAN)
192.168.1.100
192.168.1.100
192.168.1.101
192.168.1.101
172.204.19.32
62.2.12.17
![Page 27: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/27.jpg)
272727Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
The RoadWarrior IPSec Problem
• With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication
• Mobility and NAT make it hard to predict the IP Address
![Page 28: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/28.jpg)
282828Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
RoadWarrior Solution
2. Client configuredWeb Install client software
Configure address of Home Gateway
3. Client software connectsLogs on to HTTPS
Initiates the IPSec VPN
1. Gateway configuredSSL Username, password
4. Gateway acceptsAuthenticates Client by password
Figures out current Client IP Address
Provisions IPSec for Client IP Address
Joins Client to Protected Network using IPSec VPN
HomeGateway
Internet
Pro
tected
Netw
ork
IPSec VPN Tunnel
HTTPS
Road Warrior Client
![Page 29: 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649cc05503460f94986627/html5/thumbnails/29.jpg)
292929Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795