Securing Your Wireless LAN

Transcription

1 Securing Your Wireless LAN Pejman Roshan Product Manager Cisco Aironet Wireless Networking Session Number 1

2 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What lies ahead 2

3 Requirements for Secure Wireless LANs Encryption and Data Privacy Encryption Algorithm Message Integrity Authentication and Access Control Authentication Framework Authentication Algorithm 3

4 Requirements for Secure Wireless LANs Encryption Algorithm Mechanism to provide data privacy Message Integrity Ensures data frames are tamper free and truly from the source address Authentication Framework Framework to facilitate authentication messages between clients, access point, and AAA server Authentication Algorithm Mechanism to validate client credentials 4

5 Requirements for Secure Wireless LANs Encryption and Data Privacy Encryption Algorithm Message Integrity Authentication and Access Control TKIP-PPK or AES-CCM Authentication Framework 802.1X/EAP TKIP-MIC or AES-CBC-MAC Authentication Algorithm LEAP, PEAP, or EAP-TLS 5

6 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What Lies Ahead 6

7 Overview of 802.1X Link layer (layer 2) support for Extensible Authentication Protocol (EAP) Securely facilitates authentication message exchanges between: Wireless Client Access Point AAA Server Allows the use of numerous authentication algorithms WLAN implementations of 802.1X must support mutual authentication 7

8 Overview of 802.1X Client Start Request Identity Access Point RADIUS Server AP Blocks all Requests until Authentication Completes Identity Identity RADIUS Server Authenticates Client Client Authenticates RADIUS Server Success Success 8

9 Overview of the Cisco Temporal Key Integrity Protocol (TKIP) WEP is broken AirSnort attack, among others render WEP ineffective TKIP is designed to patch WEP not the long term WLAN encryption solution Allows existing devices to be upgraded 9

10 Cisco Wireless Security Suite Cisco Aironet offers a complete end-to-end WLAN security solution 802.1X Support LEAP, PEAP, and EAP-TLS Temporal Key Integrity Protocol (TKIP) Per Packet Keying (PPK) for encryption Message Integrity Check (MIC) Broadcast Key Rotation Centralized Management 10

11 Per Packet Keying Overview IV Base WEP Key Plaintext Hash XOR Ciphertext IV Packet Key WEP Key Stream Initialization Vector (IV) A counter that increments with each frame IV is hashed with base WEP key Result is a new Packet WEP key The Packet WEP key changes per IV 11

12 MIC Overview MIC is calculated from Random Seed Value MAC Header Seed DA SA LLC SNAP SEQ Payload Sequence Number Data Payload Components are hashed to derive a 32 bit MIC SEQ number must be in order, or frame is dropped MMH Hash 4 Byte MIC 12

13 Message Integrity Check (MIC) Standard WEP Frame Header IV LLC SNAP Payload ICV WEP Encrypted MIC Enhanced WEP Frame Header IV LLC SNAP MIC SEQ Payload ICV WEP Encrypted 13

14 Broadcast Key Rotation Overview Broadcast key is required in 802.1X environments Re-keying of broadcast key is necessary, just as with unicast key Key is delivered to client encrypted with client s dynamic key 14

15 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What Lies Ahead 15

16 EAP Type Criteria Must support mutual authentication Network authenticates client Client authenticates network Must support user based, dynamic key generation 16

17 What EAP types are available? LEAP EAP-TLS EAP-PEAP Server Authentication Password Certs/PKI Certs/PKI Client Authentication Password Certs/PKI Password 1 Single Sign On Yes Yes No 2 Vulnerable to Password Attack No 3 No No OTP/LDAP Support No N/A Yes Additional Infrastructure No Yes/CA Yes/CA 1 Not limited to password schemes, but that is what is currently available 2 MS native supplicant supports SSO w/eap-ms-chapv2 3 Requires strong passwords 17

18 Deployment Considerations Types of Clients Laptops/PDAs have more CPU available to support PKI (for PEAP/EAP-TLS) End-user Operating System Existing User Authentication Database and Authentication Server Management Overhead Management of digital certificates is required with PEAP/EAP-TLS Security Policy Reliance on password based schemes may violate security policy Centralized Deployment Large scale deployment across many central sites may add to authentication latency 18

19 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What lies ahead 19

20 What Lies Ahead Enhanced encryption schemes WEP is ineffective and TKIP is designed as a temporary solution Ubiquitous authentication for multi-client environments OS/Client support should be non-issue 20

21 Advanced Encryption Standard (AES) Mandatory for i compliance Rijndael Algorithm Block Cipher 128,192, and 256 bit key support 3DES successor Sponsored by National Institute of Standards and Technology (NIST) 21

22 Cisco Wireless LAN Security Links Cisco Wireless LAN Security website Cisco Aironet Wireless LAN Security Overview Wireless LAN Security White Paper Configuring the Cisco Wireless Security Suite SAFE: Wireless LAN Security in Depth EAP-TLS Deployment Guide for Wireless LAN Networks Authentication with 802.1X and EAP Across Congested WAN Links Cisco Mobile Office: At Work (Click on - Technology Overview) 22

23 23