Professional Documents
Culture Documents
Outline
Threats to LANs & Wireless LANs Wireless LAN Security Techniques Summary
Fundamental Premise
Security cannot be considered in isolation and to be effective must consider the entire system That is, network and LAN security must be:
Threats
LAN Threats
Protecting Integrity
Protecting Secrecy
Network Traffic
Protecting Availability
Availability
Authentication
Secrecy
Authentication
Usually none!
If in the building can plug in to the LAN Can cause severe problems:
Using LAN for illegal purposes (company/person may be liable) Can more easily compromise servers
Authentication services
Single login (once per session) To multiple servers/domains Ticket for each server Based on public key infrastructure Used in SSL, IPSEC, S/MIME, SET One-way, two-way or three-way authentication
9
Kerberos
10
X.509 Authentication
A
One-way authentication
[Ta, Ra, B, EkpubB(Kab) ] sgnA
Two-way authentication
Three-way authentication
[Rb] sgnA
11
Supplicant
Authentication Server
Controlled port
802.1X
802.1X Model
AP STA
Associate EAP Identity Request EAP Identity Response EAP Auth Request EAP Auth Response EAP-Success EAP Identity Response
Authentication Server
Authentication traffic
Port Status:
Normal Data
13
14
Introduction
802.11 standard specifies the operating parameters of wireless local area networks (WLAN)
History: 802.11, b, a, g, i
Minimal security in early versions Original architecture not well suited for modern security needs 802.11i attempts to address security issues with WLANs
15
802.11b
Confidentiality
Encryption
Access Control
Shared key authentication + Encryption Integrity checksum computed for all messages
Data Integrity
16
802.11b
Vulnerabilities in WEP
17
802.11b
Key recovery - AirSnort Man-in-the-middle Denial of service Authentication forging Known plaintext Known ciphertext
18
802.11i
Security Specifications
Improved Encryption
2-way authentication Key management Ad-hoc network support Improved security architecture
19
802.11i Authentication
20
802.11 Encryption
21
Hardware requirements
Authentication server needed for 2-way authentication The more complex a system is, the more likely it may contain an undetected backdoor
Complexity
Often you want to connect to a wireless LAN over which you have no control Options:
If you can, connect securely (WPA2, 802.11i, etc.) If unsecured, connect to your secure systems securely:
Be careful not to expose passwords Watch for direct attacks on untrusted networks 23
802.11i appears to be a significant improvement over 802.11b from a security standpoint Vendors are nervous about implementing 802.11i protocols due to how quickly WEP was compromised after its release Only time will tell how effective 802.11i actually will be Wireless networks will not be completely secure until the standards that specify them are designed from the beginning with security in mind
24
Summary
Wireless LAN Security is not independent of the greater network security and system security Threats to the Wireless LAN are largely in terms of being available and in providing a means to attack systems on the network
References
ftp://ftp.prenhall.com/pub/esm/web_marketing /ptr/pfleeger/ch07.pdf - Charles & Shari Pfleegers chapter on network security http://www.gocsi.com/forms/fbi/pdf.jhtml - To request the Computer Security Institute/FBI yearly survey results (widely referenced)
26