cisntwk-440 intro to network securityintro to network …ieee 802.11 wireless security protections...
TRANSCRIPT
-
CISNTWK-440Intro to Network SecurityIntro to Network Security
Chapter 6Wireless Network Security
1
-
ObjectivesObjectives
• Describe the basic IEEE 802 11 wireless securityDescribe the basic IEEE 802.11 wireless security protections
• Define the vulnerabilities of open system authentication, WEP, and device authentication
• Describe the WPA and WPA2 personal security modelsExplain how enterprises can implement wireless security• Explain how enterprises can implement wireless security
Security+ Guide to Network Security Fundamentals Third
2
-
IEEE 802.11 Wireless Security Protections
• Institute of Electrical and Electronics EngineersInstitute of Electrical and Electronics Engineers (IEEE)• The most widely known and influential organization for
computer networking and wireless communications• In the early 1980s, the IEEE began work on developing
computer network architecture standardscomputer network architecture standards• This work was called Project 802
• In 1990, the IEEE formed a committee to develop a , pstandard for WLANs• That operate at a speed of 1 and 2 million bits per
d (Mb )Security+ Guide to Network Security Fundamentals Third
second (Mbps)3
-
IEEE 802.11 Wireless Security Protections (continued)
• In 1997 the IEEE approved the IEEE 802 11 WLANIn 1997, the IEEE approved the IEEE 802.11 WLAN standard
• Revisions• IEEE 802.11a• IEEE 802.11b• IEEE 802.11g• IEEE 802.11n
Security+ Guide to Network Security Fundamentals Third
4
-
Controlling AccessControlling Access
• Controlling wireless access of devices to the WLANControlling wireless access of devices to the WLAN • Accomplished by limiting a device’s access to the
access point (AP)• By restricting access to the AP, only those devices that
are authorized are able to connect to the AP and become part of the wireless networkpart of the wireless network
• The IEEE 802.11 standard does not specify how to implement controlling access
• Almost all wireless AP vendors implement access control through Media Access Control (MAC) address filtering
Security+ Guide to Network Security Fundamentals Third
5
-
Controlling Access (continued)Controlling Access (continued)
Security+ Guide to Network Security Fundamentals Third
6
-
Controlling Access (continued)Controlling Access (continued)
Security+ Guide to Network Security Fundamentals Third
7
-
Controlling Access (continued)Controlling Access (continued)
• MAC address filtering is usually implemented by g y p ypermitting instead of preventing
• Wired Equivalent Privacy (WEP)• Designed to ensure that only authorized parties can
view transmitted wireless information• Uses encryption to protect traffic• Uses encryption to protect traffic
• The IEEE 802.11 committee designed WEP to meet the following criteria:• Efficient, exportable, optional, self-synchronizing, and
reasonably strong
Security+ Guide to Network Security Fundamentals Third
8
-
Controlling Access (continued)Controlling Access (continued)
• IEEE 802.11 WEP shared secret keys must be a yminimum of 64 bits in length
• The options for creating keys are as follows:• 64-bit key• 128-bit key
Passphrase• Passphrase• The AP and devices can hold up to four shared secret
keysy• One of which must be designated as the default key
Security+ Guide to Network Security Fundamentals Third
9
-
Security+ Guide to Network Security Fundamentals Third
10
-
Controlling Access (continued)Controlling Access (continued)
Security+ Guide to Network Security Fundamentals Third
11
-
Controlling Access (continued)Controlling Access (continued)
Security+ Guide to Network Security Fundamentals Third
12
-
Controlling Access (continued)Controlling Access (continued)
• Device authenticationDevice authentication• Wireless LANs cannot limit access to the wireless
signal by walls or doors• Sometimes called data emanation
• Types of authentication supported by the 802.11 standardstandard• Open system authentication
• See Figure 6-6
• Shared key authentication• See Figure 6-7
Security+ Guide to Network Security Fundamentals Third
13
-
Security+ Guide to Network Security Fundamentals Third
14
-
Security+ Guide to Network Security Fundamentals Third
15
-
Vulnerabilities of IEEE 802.11 Security
• The primary vulnerabilities are in the areas of open p y psystem authentication, MAC address filtering, and WEP
Security+ Guide to Network Security Fundamentals Third
16
-
Open System Authentication Vulnerabilities
• Open system authentication is considered weak becauseOpen system authentication is considered weak because authentication is based on only one factor:• A match of SSID
• The easiest way to discover the SSID is to actually do nothing
Exploits the beaconing process• Exploits the beaconing process• Once a wireless device receives a beacon frame, it can
attempt to join the networkp j• By sending an association request frame back to the
AP
Security+ Guide to Network Security Fundamentals Third
17
-
Open System Authentication p yVulnerabilities (continued)
• Passive scanning• The most common type of scanning
A i l d i i l li t f b f• A wireless device simply listens for a beacon frame for a set period of time
• For a degree of protection, some wireless securityFor a degree of protection, some wireless security sources encourage users to configure their APs to prevent the beacon frame from including the SSID
B t i t d i th t t th SSID• But instead require the user to enter the SSID manually on the wireless device
Security+ Guide to Network Security Fundamentals Third
18
-
Open System Authentication p yVulnerabilities (continued)
• Problems arise when the SSID is not beaconed• Problems arise when the SSID is not beaconed• Can affect roaming• Can also affect devices running Microsoft WindowsCan also affect devices running Microsoft Windows
XP• The SSID can be easily discovered even when it is not
contained in beacon frames• Still is transmitted in other management frames sent
by the APby the AP• Configuring an access point to not allow the beacon
frame to include the SSID provides virtually no protection
Security+ Guide to Network Security Fundamentals Third
19
-
Security+ Guide to Network Security Fundamentals Third
20
-
MAC Address Filtering WeaknessesMAC Address Filtering Weaknesses
• MAC addresses are initially exchanged in an• MAC addresses are initially exchanged in an unencrypted format through the WLAN• An attacker can easily see the MAC address of an y
approved device and use it to join the network• Managing a large number of MAC addresses can pose
significant challengessignificant challenges• MAC address filtering does not provide a means to
temporarily allow a guest user to access the network p y g• Other than manually entering the user’s MAC address
into the access point
Security+ Guide to Network Security Fundamentals Third
21
-
WEPWEP
• To encrypt packets WEP can use only a 64-bit or 128-bitTo encrypt packets WEP can use only a 64 bit or 128 bit number• Which is made up of a 24-bit initialization vector (IV)
and a 40-bit or 104-bit default key• The relatively short length of the default key limits its
strengthstrength• WEP implementation violates the cardinal rule of
cryptography:• Anything that creates a detectable pattern must be
avoided at all costsIV ld t t ti i f th h
Security+ Guide to Network Security Fundamentals Third
• IVs would start repeating in fewer than seven hours22
-
WEP (continued)WEP (continued)
• Because of the weaknesses of WEPBecause of the weaknesses of WEP• Possible for an attacker to identify two packets
derived from the same IV (called a collision)• Keystream attack
• A method of determining the keystream by analyzing two packets that were created from theanalyzing two packets that were created from the same IV
Security+ Guide to Network Security Fundamentals
23
-
WEP (continued)WEP (continued)
Security+ Guide to Network Security Fundamentals Third
24
-
WEP (continued)WEP (continued)
Security+ Guide to Network Security Fundamentals Third
25
-
Personal Wireless SecurityPersonal Wireless Security
• The wireless security requirements for personal wireless• The wireless security requirements for personal wireless security are most often based on two models promoted by the Wi-Fi Alliance:• WPA Personal Security• WPA2 Personal Security
Security+ Guide to Network Security Fundamentals Third
26
-
WPA Personal SecurityWPA Personal Security
Wi l Eth t C tibilit Alli (WECA)• Wireless Ethernet Compatibility Alliance (WECA)• A consortium of wireless equipment manufacturers
and software providers formed to promote wirelessand software providers formed to promote wireless network technology
• WECA goals:• To encourage wireless manufacturers to use the
IEEE 802.11 technologies• To promote and market these technologies• To promote and market these technologies• To test and certify that wireless products adhere to
the IEEE 802.11 standards to ensure product
Security+ Guide to Network Security Fundamentals Third
pinteroperability
27
-
WPA Personal Security (continued)WPA Personal Security (continued)
I 2002 th WECA i ti h d it t• In 2002, the WECA organization changed its name to Wi-Fi (Wireless Fidelity) Alliance
• In October 2003 the Wi-Fi Alliance introduced Wi-FiIn October 2003 the Wi Fi Alliance introduced Wi Fi Protected Access (WPA)• WPA had the design goal to protect both present and
future wireless devices, addresses both wireless authentication and encryption
• PSK addresses authentication and TKIP addressesPSK addresses authentication and TKIP addresses encryption
Security+ Guide to Network Security Fundamentals Third
28
-
WPA Personal Security (continued)WPA Personal Security (continued)
• Preshared key (PSK) authentication• Preshared key (PSK) authentication• Uses a passphrase to generate the encryption key
• When using PSK a key must be created and enteredWhen using PSK, a key must be created and entered into both the access point and all wireless devices• Prior to the devices communicating with the AP
• The PSK is not used for encryption• Instead, it serves as the starting point (seed) for
mathematically generating the encryption keysmathematically generating the encryption keys
Security+ Guide to Network Security Fundamentals Third
29
-
WPA Personal Security (continued)WPA Personal Security (continued)
• WPA replaces WEP with an encryption technology calledWPA replaces WEP with an encryption technology called Temporal Key Integrity Protocol (TKIP)
• TKIP has several advantages over WEP:• TKIP uses a longer 128-bit key• TKIP keys are known as per-packet keys• When coupled with other technologies, TKIP provides
an even greater level of security• WPA also replaces the (CRC) function in WEP with theWPA also replaces the (CRC) function in WEP with the
Message Integrity Check (MIC)• Designed to prevent an attacker from capturing,
Security+ Guide to Network Security Fundamentals Third
altering, and resending data packets30
-
WPA2 Personal SecurityWPA2 Personal Security
• Wi Fi Protected Access 2 (WPA2)• Wi-Fi Protected Access 2 (WPA2)• Introduced by the Wi-Fi Alliance in September 2004• The second generation of WPA securityThe second generation of WPA security• Still uses PSK authentication but instead of TKIP
encryption it uses enhanced data encryption• PSK Authentication
• Intended for personal and small office home office h d t h d d bilitiusers who do not have advanced server capabilities
• PSK keys are automatically changed and authenticated between devices after a specified
Security+ Guide to Network Security Fundamentals Third
authenticated between devices after a specified period of time known as the rekey interval
31
-
WPA2 Personal Security y(continued)
• PSK key management weaknesses:• PSK key management weaknesses:• The distribution and sharing of PSK keys is performed
manually without any technology security protectionsy y gy y p• PSK only uses a single key• Changing the PSK key requires reconfiguring the key
on every wireless device and on all access points• In order to allow a guest user to have access to a
PSK WLAN the key must be given to that guestPSK WLAN, the key must be given to that guest• A second area of PSK vulnerability is the use of
passphrases
Security+ Guide to Network Security Fundamentals Third
32
-
WPA2 Personal Security y(continued)
• A PSK is a 64 bit hexadecimal number• A PSK is a 64-bit hexadecimal number• The most common way in which this number is
generated is by entering a passphraseg y g p p• Consisting of letters, digits, punctuation, etc. that is between
8 and 63 characters in length
• PSK passphrases of fewer than 20 characters can be• PSK passphrases of fewer than 20 characters can be subject to a specific type of attack and broken
• AES-CCMP Encryption• Encryption under the WPA2 personal security model
is accomplished by AES-CCMP
Security+ Guide to Network Security Fundamentals Third
33
-
WPA2 Personal Security y(continued)
• CCMP is based upon the Counter Mode with CBC-MAC (CCM)• Of the Advanced Encryption Standard (AES)• Of the Advanced Encryption Standard (AES)
encryption algorithm• CCM is the algorithm providing data privacyg p g p y
• While the Cipher Block Chaining Message Authentication Code (CBCMAC) component of CCMP provides data integrity and authenticationprovides data integrity and authentication
Security+ Guide to Network Security Fundamentals Third
34
-
WPA2 Personal Security (continued)
Security+ Guide to Network Security Fundamentals Third
35
-
Enterprise Wireless SecurityEnterprise Wireless Security
• The enterprise wireless security options can be divided into those that follow the IEEE 802.11i standard and those that follow the WPA and WPA2 modelsthose that follow the WPA and WPA2 models
Security+ Guide to Network Security Fundamentals Third
36
-
IEEE 802 11iIEEE 802.11i
• The IEEE 802.11i wireless security standard• Addresses the two main weaknesses of wireless
networks: encryption and authenticationnetworks: encryption and authentication• Encryption is accomplished by replacing WEP’s
original PRNG RC4 algorithmoriginal PRNG RC4 algorithm• With a stronger cipher that performs three steps on
every block (128 bits) of plaintext• IEEE 802.11i authentication and key management is
accomplished by the IEEE 802.1x standard
Security+ Guide to Network Security Fundamentals Third
37
-
IEEE 802 11i (continued)IEEE 802.11i (continued)
Security+ Guide to Network Security Fundamentals Third
38
-
IEEE 802 11i (continued)IEEE 802.11i (continued)
• Key-caching• Stores information from a device on the network so if
a user roams away from a wireless access point anda user roams away from a wireless access point and later returns, he does not need to re-enter all of the credentials
• Pre-authentication• Allows a device to become authenticated to an AP
before moving into range of the APbefore moving into range of the AP
Security+ Guide to Network Security Fundamentals Third
39
-
WPA Enterprise SecurityWPA Enterprise Security
• The WPA Enterprise Security model is designed for medium to large-size organizations• Provides improved authentication and encryption over• Provides improved authentication and encryption over
the personal model on a wireless LAN• The authentication used is IEEE 802.1x and the encryption is
TKIP
Security+ Guide to Network Security Fundamentals Third
40
-
WPA Enterprise Security p y(continued)
• IEEE 802.1x Authentication• Provides an authentication framework for all IEEE
802 b d LAN802-based LANs• Uses port-based authentication mechanisms• Does not perform any encryption• Does not perform any encryption
• TKIP Encryption• An improvement on WEP encryptionp yp• Designed to fit into the existing WEP procedure
Security+ Guide to Network Security Fundamentals Third
41
-
WPA Enterprise Security p y(continued)
Security+ Guide to Network Security Fundamentals Third
42
-
WPA2 Enterprise SecurityWPA2 Enterprise Security
• Provides the highest level of secure authentication and encryption on a wireless LAN
• Authentication used is IEEE 802 1x and the encryption is• Authentication used is IEEE 802.1x and the encryption is AES-CCMP
• IEEE 802.1x authentication provides the most robust pauthentication for a WPA2 enterprise model WLAN
• Encryption is based on the stronger AES-CCMPO l th 128 bit k d 128 bit bl k d t• Only the 128-bit key and 128-bit block are mandatory for WPA2
Security+ Guide to Network Security Fundamentals Third
43
-
WPA2 Enterprise Security p y(continued)
Security+ Guide to Network Security Fundamentals Third
44
-
Enterprise Wireless Security p yDevices
• Thin Access Point• An access point without the authentication and
encryption functionsencryption functions• These features reside on the wireless switch
• Advantagesg• The APs can be managed from one central location• All authentication is performed in the wireless switch
Security+ Guide to Network Security Fundamentals Third
45
-
Enterprise Wireless Security p yDevices (continued)
Security+ Guide to Network Security Fundamentals Third
46
-
Enterprise Wireless Security p yDevices (continued)
• Wireless VLANs• Can be used to segment traffic and increase security• The flexibility of a wireless VLAN depends on which
device separates the packets and directs them to different networksdifferent networks
• See Figures 6-14 and 6-15
• For enhanced security many organizations set up two i l VLANwireless VLANs
• One for employee access• One for guest access
Security+ Guide to Network Security Fundamentals Third
• One for guest access47
-
Security+ Guide to Network Security Fundamentals Third
48
-
Security+ Guide to Network Security Fundamentals Third
49
-
Enterprise Wireless Security p yDevices (continued)
• Rogue Access Point Discovery Tools• Wireless protocol analyzer
• Allows auditing the airwaves for rogue access points
• Monitoring the RF frequency requires a special sensor called a wireless probecalled a wireless probe
• Types of wireless probes:• Wireless device probe• Desktop probe• Access point probe
Security+ Guide to Network Security Fundamentals Third
• Dedicated probe50
-
Security+ Guide to Network Security Fundamentals Third
51
-
SummarySummary• The initial IEEE 802.11 standard contained security
controls for protecting wireless transmissions from attackers
• The Wi Fi Alliance has introduced two levels of personal• The Wi-Fi Alliance has introduced two levels of personal security• Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access 2 (WPA2)• Enterprise wireless security requires different security
models from personal wireless securitymodels from personal wireless security• Additional wireless security devices can be used to
defend against attackers
Security+ Guide to Network Security Fundamentals Third
g
52