ASSEMBLING A SECURE 802.11 WIRELESSASSEMBLING A SECURE 802.11 WIRELESSNETWORKNETWORK

Joerg Fritsch, NATO C3 AgencyJoerg Fritsch, NATO C3 Agency

RSA Conference 2005, 18 Oct, 2pm, Austria Center Vienna

Session learning objectives

• Understand the meaning of NIST recommendations and ‘FIPS’

compliance.

• Introduce the building blocks of a secure 802.11 wireless

network.

• Visualize aspects of site survey, planning and roll out of a secure

wireless network.

• Discriminate between ‘WLAN compatible’ and ‘security

compatible’ equipment.

• Know why this is important for your future plans

What is “NIST compliant” WLAN ?

• U.S. NIST = National Institute ofStandards and Technology

• NIST WLAN = 56recommendationshttp://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

• last updated in November 2002,but still pretty much up-to-dateand relevant to implementers

• mainly standards which were (atthat time) still in the draft stage

• rumor about proposed updatesince beginning 2005http://www.findarticles.com/p/articles/mi_qa3649/is_200501/ai_n9468284

• NIST makes recommendations,not law, not recipes

“NIST compliant” = new standards, (i.e. bebrave…)

• Network authentication

— 802.1x

— EAP, EAP-FAST

— LEAP etc.

• Temporal key management

— WPA, WPAv2

• Ciphers

— AES

— TKIP

What are the building blocks?

• Users (fixed, or mobile)

• Access points

• Authentication (this is new, compared to traditional WLAN)

• Confidentiality

— Link encryption by APs

— IPSec overlay (fully FIPS compliant WLANs, - this is also a new idea)

• Monitoring and logging

• Physical Security of the APs

What about FIPS compliance ?

• (U.S) Federal Information Processing Standard

• “Mandatory” feature that equipment bought by the government

must support

• Currently there are no FIPS compliant wireless access points

• Be careful! Some vendors advertise this, but they really mean a

combination of AP and VPN

• FIPS 140-2 compliance always generated by some sort of VPN

concentrator (at our site Cisco VPN 3K)

IPSEC overlay:Fully NIST and FIPS compliant WLANs

Advantages

• Fully “NIST compliant”

• Common vulnerabilities (i.e.

during association of the WLAN

client) do not fire.

• Increases security and

interoperability

• Integrates well with strong

authentication

Disadvantages

• Industry's efforts are aiming for

integrated wireless networks

! you cut the link between you

and the rest of the world

• VPN Client required (compatibility,

interoperability!)

• Single Sign On is hard to achieve

There are 2 ways to assemble the buildingblocks: WLAN collocated with LAN

• We prefer this implementation

framework because

• SSO for all WLAN Clients

• Additional Software (VPN Client)

optional

• All private network services

available for WLAN Clients

— File and Print services

— VLAN segmentation

— VoIP

There are two ways to assemble the buildingblocks: WLAN segregated from LAN

• Additional security

• Integrates best with

— IPSEC overlay

— Server based computing

• WLAN itself still needs to be

secured

• Firewall policy easily will become

permissive if not implemented in

conjunction with IPSEC overlay or

server based computing

Planning of a NIST compliant WLAN net

• All the stuff for a regular installation

— Site Survey Tools

• RF propagation Software

• Antennas, Cards & GPS

• Floor Plans

— Site Survey

• Selection of cell size and antennas

• General positioning indoor/outdoor

— Recommendations on physical security vs shielding & interference

• … plus physical security of the APs (manipulation, theft)

• … this can make your life much, much harder

Rolling out a NIST-compliant WLAN net(Here’s what we did at NC3A)

• Our design goals

• Our security goals

• Our implementation plan

• What we bought and our experience of implementing it

• What we have learned (so far…)

— How it fits with our existing hard- and software

(If it’s only 6 months old, can you call it “legacy” ???)

— Risk evaluation !!!!!!!

Primary Design Goals

• Following the U.S. NIST security guidelines for governmental use

— Not required in NATO as yet, but probably a “best practice”

• Building a network that

— provides an acceptable privacy for a NATO UNCLASSIFIED network

— is not too difficult to implement

— Can teach us about future, higher security WLAN nets

• New features supportable on our existing hardware

• Preserving the advantages of a traditional WLAN

— Mobility

— user friendly

— low administrative overhead

Security Goals

• Do the best we can do (remember, it’s NATO UNCLASSIFIED)

• Do not cut the link between us and the rest of the world

• Mitigate known risks

• Imagine the unknown risks

• Know who is on our network (and who might try to sneak in)

• Understand what we are doing, and why

• Visualize the new network perimeter

We live in a simple security environment(not everyone is so lucky)

We can place APs in

corridors where they

are visible and

accessible

Fitting the APs to the Physical Building

We find that even simple RF

propagation models are quite effective

and realistic …

But you need to have good physical

building plans

What we bought

• Authentication:

— Funk “Steel Belted Radius” Server

— Microsoft Windows Domain Controller

• Access points: Cisco 1200 Access Points

• Antennas: 2dBi omni directional, ceiling mountable

• Confidentiality:

— WPA/TKIP or WPAv2/AES through Cisco IOS on APs

— FIPS-compliant Cisco VPN 3000 is used alternatively

• Monitoring and Logging: OpenSystems Envision HA

What we bought (continued)

• Cisco 6509 Wireless Service Module

— Centralized management of APs

— Achieve roaming qualities good enough for 802.11g telephones

• Clients: Disable Windows Zero Configuration Utility

— Several Vendor (Laptop) Client Utilities in use

• Atheros, IBM, Dell TrueMobile, Cisco all work for us

• Meanwhile long list of “Cisco Compatible Client Devices”

published (this was not there when we started …)http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

• No security compatible wireless Print Servers available

— Lowest common denominator: WPA-PSK

— Print Servers segregated from LAN

Problems we had during installation(and how we solved them)

• New wireless networks require a lot of new wires to be pulledthroughout the building

— We rejected “wireless, wireless” approach to get more useable

bandwidth throughout the building

• Changed our minds several times on authentication

— Cisco LEAP, PEAP/Microsoft CHAPv2, EAP-TLS

— Settled on LEAP (straight forward implementation, easy

reauthentication through cached credentials)

• New equipment first available with FCC certification, then re-configured for non-US channel schemes

— We started with US-legal equipment for testing, prototyping, then

waited for “street-legal” European models

Lessons Learned

• Do not compare a corporate WLAN to your living room WLAN

— corporate WLANs can use: authentication, VLAN Tagging, multiple SSIDs, fast

roaming, positioning engines

• WiFi compatible is not security compatible

— “WiFi certified” = interoperability of equipment on an unprotected HotSpot

• Secure WLANs needs excellent signal stability; - i.e. FCC-approved equipment

not good enough for a secure ETSI WLAN

— FCC client adapters get de-authenticated frequently w/o any obvious reason

• Expect incompatibilities even within the product lines of a single vendor

— problems and fixed bugs sometimes reappear after a firmware upgrade

(i.e. de-authentication at high network load or when USB devices are (dis)connected)

• Even reasonably-priced RF propagation models turned out to be very accurate

— EKAHAU Site Survey, ESS

So what? Why is this useful to you?

• NIST-compliant WLAN an “interesting” technology

• It’s not super-secure but it attempts to go a significant step beyond

commercial “best practice”

• It is not influenced by any vendor, or any network philosophy

• Since we must live with WLAN, this is a way to sleep easily at night

• By forcing considering of AP physical security, it may also force an

evaluation of other physical security issues. This is good.

• (left as an exercise for the student)

Questions & Answers

Thank you for your attention

joerg.fritsch@nc3a.nato.int

If you were in “their” shoes: What you need toattack WLANs

• NO Pringles Antenna!

• Educated guesses

• Time !!! – If they are not carried out in a staged or protected labenvironment most attacks need time

• Wireless network sniffers and analyzers

— Kismet, http://www/kismetwireless.net

— Netstumbler, http://www.netstumbler.org

— Airopeek, http://www.airopeek.com

• Tools to decrypt WEP Keys

— Airsnort, http://airsnort.shmoo.com

— Weplab, http://weplab.sourceforge.net

— Chochop

If you were in “their” shoes: What you need toattack WLANs (continued)

• WPA disassociation/de-authentication Attacks

— Airforge (re-inject packets – such as de-authentication packets),

http://new.remote-exploit.org

• Attacks on the LEAP authentication

— Asleap, http://asleap.sourceforge.net

• WPA PSK brut force attacks

— Cowpatty, http://sourceforge.net/projects/cowpatty

• Attacks on the Wireless Client

— Airpwn, http://airpwn.sourceforge.net

— Hotspotter, http://new.remote-exploit.org