Securing Your Wireless LAN

Similar documents
FAQ on Cisco Aironet Wireless Security

Security in IEEE Networks

Wireless LAN Security. Gabriel Clothier

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Security Setup CHAPTER

Authentication and Security: IEEE 802.1x and protocols EAP based

05 - WLAN Encryption and Data Integrity Protocols

Configuring Cipher Suites and WEP

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Securing a Wireless LAN

Wireless Security i. Lars Strand lars (at) unik no June 2004

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Lab Configure Enterprise Security on AP

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Protected EAP (PEAP) Application Note

Wireless Network Security Spring 2015

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Configuring the Client Adapter through Windows CE.NET

Wireless Network Security Spring 2016

Configuring the Client Adapter through the Windows XP Operating System

Configuring the Client Adapter

Standard For IIUM Wireless Networking

Configuring the Client Adapter through the Windows XP Operating System

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Network Access Flows APPENDIXB

Viewing Status and Statistics

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

802.1x. ACSAC 2002 Las Vegas

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Authentication and Security: IEEE 802.1x and protocols EAP based

Configuring Authentication Types

Configuring Layer2 Security

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Exam Questions CWSP-205

TestsDumps. Latest Test Dumps for IT Exam Certification

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Appendix E Wireless Networking Basics

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

WPA Migration Mode: WEP is back to haunt you

IEEE WiMax Security

Configuring WEP and WEP Features

TopGlobal MB8000 Hotspots Solution

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Configuring a Wireless LAN Connection

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Cisco Wireless LAN Controller Module

Wireless LAN, WLAN Security, and VPN

Cisco Desktop Collaboration Experience DX650 Security Overview

Open System - No/Null authentication, anyone is able to join. Performed as a two way handshake.

Link Security A Tutorial

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Seamless Yet Secure -Hotspot Roaming

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Configuring 802.1X Settings on the WAP351

Configuring FlexConnect Groups

Configuring Local EAP

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Configuring a VAP on the WAP351, WAP131, and WAP371

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

02/21/08 TDC Branch Offices. Headquarters SOHO. Hot Spots. Home. Wireless LAN. Customer Sites. Convention Centers. Hotel

WLAN Roaming and Fast-Secure Roaming on CUWN

Configuring the WMIC for the First Time

Configuring WLANsWireless Device Access

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

WL 5011s g Wireless Network Adapter Client Utility User Guide

From wired internet to ubiquitous wireless internet

Telecommunications 3 Module 6

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

EAP Authentication with RADIUS Server

Security and Authentication for Wireless Networks

Chapter 24 Wireless Network Security

b/g/n 1T1R Wireless USB Adapter. User s Manual

Cisco Catalyst 6500 Series Wireless LAN Services Module: Detailed Design and Implementation Guide

accounting (SSID configuration mode) through encryption mode wep

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Controlled/uncontrolled port and port authorization status

Network Encryption 3 4/20/17

Cisco Exam Questions & Answers

Securing Wireless LANs with Certificate Services

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Aruba PEAP-GTC Supplicant Plug-In Guide

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

A Comparison of Data-Link and Network Layer Security for IEEE Networks

TABLE OF CONTENTS CHAPTER TITLE PAGE

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Wireless Domain Services FAQ

COSC4377. Chapter 8 roadmap

Transcription:

Securing Your Wireless LAN Pejman Roshan Product Manager Cisco Aironet Wireless Networking Session Number 1

Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What lies ahead 2

Requirements for Secure Wireless LANs Encryption and Data Privacy Encryption Algorithm Message Integrity Authentication and Access Control Authentication Framework Authentication Algorithm 3

Requirements for Secure Wireless LANs Encryption Algorithm Mechanism to provide data privacy Message Integrity Ensures data frames are tamper free and truly from the source address Authentication Framework Framework to facilitate authentication messages between clients, access point, and AAA server Authentication Algorithm Mechanism to validate client credentials 4

Requirements for Secure Wireless LANs Encryption and Data Privacy Encryption Algorithm Message Integrity Authentication and Access Control TKIP-PPK or AES-CCM Authentication Framework 802.1X/EAP TKIP-MIC or AES-CBC-MAC Authentication Algorithm LEAP, PEAP, or EAP-TLS 5

Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What Lies Ahead 6

Overview of 802.1X Link layer (layer 2) support for Extensible Authentication Protocol (EAP) Securely facilitates authentication message exchanges between: Wireless Client Access Point AAA Server Allows the use of numerous authentication algorithms WLAN implementations of 802.1X must support mutual authentication 7

Overview of 802.1X Client Start Request Identity Access Point RADIUS Server AP Blocks all Requests until Authentication Completes Identity Identity RADIUS Server Authenticates Client Client Authenticates RADIUS Server Success Success 8

Overview of the Cisco Temporal Key Integrity Protocol (TKIP) WEP is broken AirSnort attack, among others render WEP ineffective TKIP is designed to patch WEP not the long term WLAN encryption solution Allows existing devices to be upgraded 9

Cisco Wireless Security Suite Cisco Aironet offers a complete end-to-end WLAN security solution 802.1X Support LEAP, PEAP, and EAP-TLS Temporal Key Integrity Protocol (TKIP) Per Packet Keying (PPK) for encryption Message Integrity Check (MIC) Broadcast Key Rotation Centralized Management 10

Per Packet Keying Overview IV Base WEP Key Plaintext Hash XOR Ciphertext IV Packet Key WEP Key Stream Initialization Vector (IV) A counter that increments with each frame IV is hashed with base WEP key Result is a new Packet WEP key The Packet WEP key changes per IV 11

MIC Overview MIC is calculated from Random Seed Value MAC Header Seed DA SA LLC SNAP SEQ Payload Sequence Number Data Payload Components are hashed to derive a 32 bit MIC SEQ number must be in order, or frame is dropped MMH Hash 4 Byte MIC 12

Message Integrity Check (MIC) Standard WEP Frame 802.11 Header IV LLC SNAP Payload ICV WEP Encrypted MIC Enhanced WEP Frame 802.11 Header IV LLC SNAP MIC SEQ Payload ICV WEP Encrypted 13

Broadcast Key Rotation Overview Broadcast key is required in 802.1X environments Re-keying of broadcast key is necessary, just as with unicast key Key is delivered to client encrypted with client s dynamic key 14

Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What Lies Ahead 15

EAP Type Criteria Must support mutual authentication Network authenticates client Client authenticates network Must support user based, dynamic key generation 16

What EAP types are available? LEAP EAP-TLS EAP-PEAP Server Authentication Password Certs/PKI Certs/PKI Client Authentication Password Certs/PKI Password 1 Single Sign On Yes Yes No 2 Vulnerable to Password Attack No 3 No No OTP/LDAP Support No N/A Yes Additional Infrastructure No Yes/CA Yes/CA 1 Not limited to password schemes, but that is what is currently available 2 MS native supplicant supports SSO w/eap-ms-chapv2 3 Requires strong passwords 17

Deployment Considerations Types of Clients Laptops/PDAs have more CPU available to support PKI (for PEAP/EAP-TLS) End-user Operating System Existing User Authentication Database and Authentication Server Management Overhead Management of digital certificates is required with PEAP/EAP-TLS Security Policy Reliance on password based schemes may violate security policy Centralized Deployment Large scale deployment across many central sites may add to authentication latency 18

Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP type best suits your needs What lies ahead 19

What Lies Ahead Enhanced encryption schemes WEP is ineffective and TKIP is designed as a temporary solution Ubiquitous authentication for multi-client environments OS/Client support should be non-issue 20

Advanced Encryption Standard (AES) Mandatory for 802.11i compliance Rijndael Algorithm Block Cipher 128,192, and 256 bit key support 3DES successor Sponsored by National Institute of Standards and Technology (NIST) 21

Cisco Wireless LAN Security Links Cisco Wireless LAN Security website http://www.cisco.com/go/aironet/security Cisco Aironet Wireless LAN Security Overview http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm 802.11 Wireless LAN Security White Paper http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/index.shtml Configuring the Cisco Wireless Security Suite http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm SAFE: Wireless LAN Security in Depth http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm EAP-TLS Deployment Guide for Wireless LAN Networks http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.pdf Authentication with 802.1X and EAP Across Congested WAN Links http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/authp_an.htm Cisco Mobile Office: At Work (Click on - Technology Overview) http://www.cisco.com/go/atwork 22

23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback