2012 ah vegas wlan security fundamentals
TRANSCRIPT
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 1
SECURITY FUNDAMENTALS
Presented By Andy Logan Aruba Networks
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 2 2 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Why Does Security Matter?
3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
No Wireless Policies or Doing Nothing!
• Consumer grade wireless LAN equipment is cheap and easily available!– If the IT department doesn’t deploy
wireless, someone else will"• How do you enforce “No Wireless”
policies?!
4 4 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
The Existence of Wireless LANs is a Security Threat!
Your Company
Your employee
New York City
§ Employee’s a subscriber to public Wi-Fi hotspot service § Employee’s laptop automatically associates with public Wi-Fi hotspot § Plugs into wired corporate network § Traffic bridged between public hotspot and enterprise network
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 5 5 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
RF Security Myths
7 7 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Defeating RF Engineering for $7!
7 http://www.oreillynet.com/lpt/wlg/448
8 8 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
SSID Cloaking!
• Best practice?!– “Configure APs to not broadcast the SSID”"
• At best, this can discourage a bad guy!• The SSID is not the same as a password!
9 9 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Discovering Cloaked SSIDs!
linux:~# ./essid_jack -h!Essid Jack: Proof of concept so people will stop calling an ssid a password.!!Usage: ./essid_jack -b <bssid> [ -d <destination mac> ] [ -c <channel number> ] [ -i!ccc.gif <interface name> ]! ! -b: bssid, the mac address of the access point (e.g. 00:de:ad:be:ef:00)! -d: destination mac address, defaults to broadcast address.! -c: channel number (1-14) that the access point is on,! defaults to current.! -i: the name of the AirJack interface to use (defaults to! aj0).! !linux:~# essid_jack -b 00:03:2d:de:ad: -c 11!Got it, the essid is (escape characters are c style):!“s3kr1t_wl4n"!
10 10 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
MAC Address Filtering!
• Some APs offer “MAC address filtering”!
• Does not scale to large networks !
• Trivial to defeat!!
11 11 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
WEP - Wired Equivalent Privacy!
• Part of original 802.11 specification!• Static WEP: everyone uses the same
key, all the time!• Dynamic WEP: everyone uses a
different key, assigned at each authentication!
• Broken – NOT recommended for deployment!
12 12 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Is WEP really that bad?!
• Using WEP is like saying “I’d rather you didn’t use my network”!
• Dynamic WEP is slightly better than static WEP, but it is still WEP!
13 13 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Other things to Avoid...!
• Cisco LEAP (vulnerable to dictionary attacks)!• EAP-FAST (doesn’t securely provide mutual
authentication)!• Use caution with WPA-Personal/WPA-PSK (more
later...)!• Proprietary “shielding” or “scrambling” (easy to
defeat)!• Don’t assume your “no wireless” policy means
that you don’t have wireless!
14 14 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
No Wi-Fi? Scan Your Network!
• Turn on your Wi-Fi adapter and let your OS scan the environment where you work!– You may be surprised at the number of networks
your system will detect "– Constant scanning is a must if you want an
effective policy"• Download tools to help you audit your
systems!– http://accessagility.com/products/wifi-scanner.html"– http://www.netstumbler.com/downloads/"– http://www.remote-exploit.org/backtrack.html"
14
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 16 16 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Securing Wi-Fi
17 17 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Key Security Principles!
• Principle of Least Privilege!– Authentication, identity-based security, firewalls"
• Defense in Depth!– Authentication, encryption, intrusion protection,
client integrity"• Prevention is ideal, detection is a must!– Intrusion detection systems, log files, audit trails,
alarms, and alerts"• Know Thy System!– Integrated management, centralization"
18 18 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Network Access Control (NAC)
• Identity-Based Policy Control – Authenticate users – Assess user role, device, location, time,
application. – Policies follow users throughout network – (Aruba PEF)
• Health-Based Assessment – Client health validation – Remediation – Ongoing compliance – (ClearPass OnGuard)
• Network-Based Protection – Stateful firewalls to enforce policies
and quarantine – User/device blacklisting based
on Policy Validation – (Integration with ESI)
Network-Based Protection
Identity-Based Policy Control
Health-Based Assessment
19 19 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authentication
• 802.1X is best for Wi-Fi. Works with all modern client operating systems
• Makes use of EAP (Extensible Authentication Protocol)
• 802.1X authentication happens at L2 – users will be authenticated before an IP address is assigned
20 20 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Common EAP Types
• EAP-TLS – Clients use certificates to authenticate
• PEAP – Clients use passwords to authenticate – Inner EAP type: MSCHAPv2 (password is in
MSCHAPv2 format) – Inner EAP type: GTC (password is cleartext inside
PEAP tunnel)
21 21 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authentication with 802.1X: PEAP
EAPOL (EAP over LAN) RADIUS
Encrypted Tunnel
Authentication Server AP/Controller
STA
22 22 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Local EAP Termination
EAPOL (EAP over LAN) RADIUS/LDAP (optional)
EAP Session
Authentication Server AP/Controller
STA
23 23 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Encrypt the Data
• If intruders can’t read the data, there’s no need to worry where it goes – WEP • Simple to do, easy to crack • No key management • Don’t do it
– TKIP (Temporal Key Integrity Protocol) • Works on legacy hardware (pre-2003) • First major flaw published in November 2008 • Flaw is getting worse with more research • Not currently recommended
– CCMP/AES • Encryption using AES • Considered state-of-the-art • Government approved (FIPS, CESG, etc.) • Works on all modern hardware
24 24 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Combining Authentication & Encryption: WPA
• WPA == Wi-Fi Protected Access • WPA – Wi-Fi Alliance “standard” based on pre-802.11i – Includes TKIP for encryption
• WPA2 – Wi-Fi Alliance “standard” based on ratified 802.11i – Includes TKIP and CCMP for encryption
• For both: – WPA-Enterprise == 802.1X for authentication, dynamic
encryption keys – WPA-Personal == pre-shared authentication key – careful!
25 25 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
WPA-Personal? Be careful..
• WPA Personal does not use 802.1X • Pre-shared key • Easier • But less secure
• Problem 1: Scalability • Need to re-key any time an employee/user leaves
the organization • Problem 2: Using weak keys
• WPA-PSK keys that are weak can be cracked (dictionary attack)
26 26 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Configure WPA Properly
• Configure the Common Name of your RADIUS server (matches CN in server certificate)
• Configure trusted CAs (an in-house CA is better than a public CA)
• ALWAYS validate the server certificate
• Do not allow users to add new CAs or trust new servers
• Enforce with group policy
27 27 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authorize the Data
Corporate Services
Guest
Data
Voice
Signage
PoS
Virtual AP 1 SSID: Corp
Virtual AP 2 SSID: GUEST
DMZ
ClearPass Guest Access
Captive Portal
Role-Based Access Control
Access Rights
Secure Tunnel To DMZ
SSID-Based Access Control PoS
Data
Voice
Signage
Guest
RADIUS LDAP AD
28 28 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Why Worry About Authorization?
§ Mobility brings us: § Disappearance of
physical security § New mobile users,
devices appearing everyday
§ Increased exposure to malware
§ Assuming that “the bad guys are outside the firewall, the good guys are inside” is a recipe for disaster
29 29 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
“Hole 196” – An Insider Attack
Vulnerability • STA accepts unicast IP frame
encrypted in RSN broadcast/group key
• Allows spoofing of ARP and DNS which leads to Man-in-the-middle attacks
Aruba Mitigation: # firewall prohibit-ip-spoofing # firewall prohibit-arp-spoofing
30 30 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
PEF to Control Wireless Performance
Multicast/ Broadcast
Chatty Protocols
Power Users Stealing B/W
Malicious or Misconfigured Clients
Lack of Policy Impacts Network Reliability & Performance!
• What are Multicast and Broadcast currently being used for?"• What problems am I creating by using large VLANs to solve
mobility issues?"• What non-critical applications are consuming bandwidth?"• Should users be connecting to 3rd party WLANs?"• Should users be setting up their own WLANs?"• Should users be connected to wireless while wired?"• How are “Power” Users affecting others?"• How are unauthorized users affecting network availability?"
Bonjour!
31 31 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Wireless Intrusion Prevention - RFProtect
• Integrated – It knows your clients and APs
• Uncontrolled wireless devices – Rogue APs – Laptops acting as bridges – Misconfigured laptops – Ad-Hoc networks
• Attacks against the WLAN – Denial of Service/flooding – Forged de-authenticate/disassociate – Man-in-the-Middle – WEP cracking – WPA-PSK cracking
32 32 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TotalWatch Full Spectrum Monitoring
• Complete Coverage – 2.4-GHz and 5-GHz scanning – 4.9-GHz public safety band
• 5-MHz channel increment scanning – Rogue detection in-between channels
2.4 GHz 4.9 GHz 5.0 GHz
5-MHz channel scanning
33 33 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Air Monitor
Client
Client Tarpit Containment
• Does not waste air-time during threat mitigation • Works against any brand and type of wireless device
Aruba Air Monitor
�
�
�Client is trying to
associate to rogue AP Air Monitor creates
tarpit with fake channel or fake BSSID
�Client associates to Air Monitor tarpit in preference to rogue
�Client stops
association attempts to rogue
�
� �
Rogue Access Point
Rogue Access Point
Client
34 34 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Hotspotter/KARMA Attack
Client
Hotspotter/KARMA
Listen mode Broadcast probe-requests
Probe: Linksys Probe: tmobile Probe: MyCorpSSID
Client
Hotspotter/KARMA
Advertise SSID Listen
Probe response: tmobile Beacon: tmobile
RFprotect will detect Hotspotter!
36 36 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Control Compromised Devices
Detect unsecure devices
• Block access to network resources across wired, wireless & remote
• Auto-Remediate the device
• Minimal Risk to Network
Access Network ClearPass Policy Manager with
OnGuard
37 37 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Posture with MS NAP Agent Windows NAP Agent ClearPass Policy Manager Aruba Controller
Health information is sent in authentication request
If Posture met: CPPM sends Role to Controller
Controller sends proper role and full access
If posture NOT met: CPPM sends Quarantine Role to Controller
1
2
Controller places endpoint in quarantine role
A. NAP agent attempts auto-remediation (if enabled on CPPM) and re-authenticates B. User addresses compliance issues and tries to manually re-authenticate
38 38 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Posture with OnGuard Agent Windows w/OnGuard Agent ClearPass Policy Manager Aruba Controller
Authentication request is forwarded to CPPM
CPPM sends Quarantine Role to Controller Controller places endpoint in quarantine 1
A. OnGuard returns Good health information, or B. OnGuard enables auto-remediation (if enabled on CPPM) and re-authenticates, or C. User addresses compliance issues and tries to manually re-authenticate
CPPM sends Full Access Role to Controller Controller sends role and Full access
When health is good or remediation is successful Information is send back to CPPM
39 39 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Centralization solves security and TCO for WLANs
“Thin” Access Points
Centralized Mobility Controller
802.11a/b/g
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Autonomous” Access Points
Centralization vs. Decentralized
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 40 40 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Advanced Security – Suite B
41 41 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Advanced Cryptography – Suite B
• Suite B is a set of cryptographic algorithms approved by US National Security Agency (NSA) – AES-GCM – ECDSA – ECDH – SHA2
• Suite B can be used by government/militaries to protect classified information
42 42 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Suite B Implementation
• Requires Advanced Cryptography License (ACR) • IPsec – ArubaOS 6.1.0.0 – RFC 4869 “Suite B Cryptographic Suites for IPsec” – Supported by VIA 2.0
crypto ipsec transform-set <foo> esp-aes128-gcm
• bSec – ArubaOS 6.1.4.0-FIPS – L2 protocol – works like WPA2 – Specification is open to any vendor (only Aruba today) – Supported by VIA 2.1 for Windows – other platforms coming
wlan ssid-profile <foo> opmode wpa2-aes-gcm-128
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 43 43 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Putting It All Together
44 44 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Today’s Wireless Gold Standard
• Centralized, tunneled access • Keep clients updated – drivers too! • Wireless intrusion detection – Control uncontrolled wireless – Locate and protect against rogue APs
• WPA-2 – Authentication using 802.1X and EAP-TLS – AES for link-layer encryption
• Strong passwords – SecureID or other token-card products (maybe…) – Strong password policies
• Authorization with identity-aware firewalls – Enforce principle of least privilege – Provide separation of user/device classes