Scribd Logo
Upload

Welcome to Scribd!

  • Wireless LAN Security: Kim W. Tracy NEIU, University Computing

    Uploaded by

    Cptcafecpt Cptcafe
    20 views26 pages
    LAN security cannot be considered in isolation and to be effective must consider the entire system. Wireless LANs are bringing issue out 8 authentication services 802.1x - IEEE standard for LAN authentication can use PKI certificate-based authentication Single login (once per session) to multiple servers / domains,,Ticket" for each server based on public key infrastructure used in SSL, IPSEC, S / MIME, SET.

    Original Description:

    Original Title

    Wireless

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    LAN security cannot be considered in isolation and to be effective must consider the entire system. Wireless LANs are bringing issue out 8 authentication services 802.1x - IEEE standard for LAN authentication can use PKI certificate-based authentication Single login (once per session) to multiple servers / domains,,Ticket" for each server based on public key infrastructure used in SSL, IPSEC, S / MIME, SET.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views26 pages

    Wireless LAN Security: Kim W. Tracy NEIU, University Computing

    Uploaded by

    Cptcafecpt Cptcafe
    LAN security cannot be considered in isolation and to be effective must consider the entire system. Wireless LANs are bringing issue out 8 authentication services 802.1x - IEEE standard for LAN authentication can use PKI certificate-based authentication Single login (once per session) to multiple servers / domains,,Ticket" for each server based on public key infrastructure used in SSL, IPSEC, S / MIME, SET.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Wireless LAN Security

    Kim W. Tracy NEIU, University Computing k.w.tracy@ieee.org


    1

    Outline

    Threats to LANs & Wireless LANs Wireless LAN Security Techniques Summary

    Fundamental Premise

    Security cannot be considered in isolation and to be effective must consider the entire system That is, network and LAN security must be:

    Consistent with other security mechanisms

    E.g. application, data, hardware, and physical

    Supportive of other security mechanisms


    3

    Threats

    LAN Threats
    Protecting Integrity

    Protecting Secrecy

    Network Traffic

    Protecting Availability

    Specific LAN Threats

    Availability

    Worms/Virus DoS Errant applications creating lots of traffic/malformed traffic


    Spying devices on LAN

    Authentication

    For example, a contractor connecting to LAN

    Secrecy

    Sniffers being connected to the LAN to collect passwords, etc.


    6

    Authentication

    Current State of LAN Authentication

    Usually none!

    If in the building can plug in to the LAN Can cause severe problems:

    Using LAN for illegal purposes (company/person may be liable) Can more easily compromise servers

    For example, send spam from your mail servers

    Wireless LANs are bringing issue out


    8

    Authentication services

    802.1X IEEE standard for LAN authentication

    Can use PKI certificate-based authentication

    Kerberos (closed environment)


    Single login (once per session) To multiple servers/domains Ticket for each server Based on public key infrastructure Used in SSL, IPSEC, S/MIME, SET One-way, two-way or three-way authentication
    9

    X.509 (open environment)

    Kerberos

    10

    X.509 Authentication
    A
    One-way authentication
    [Ta, Ra, B, EkpubB(Kab) ] sgnA

    [Ta, Ra, B, EkpubB(Kab) ] sgnA

    Two-way authentication

    [Tb, Rb, A, Ra, EkpubA(Kab) ] sgnB

    [Ta, Ra, B, EkpubB(Kab) ] sgnA [Tb, Rb, A, Ra, EkpubA(Kab) ] sgnB

    Three-way authentication
    [Rb] sgnA

    11

    IEEE 802.1X Terminology

    Supplicant

    Authenticator Uncontrolled port

    Authentication Server

    Controlled port

    802.1X

    created to control access to any 802 LAN


    used as a transport for Extensible Authentication Protocol (EAP, RFC 2284) 12

    802.1X Model
    AP STA
    Associate EAP Identity Request EAP Identity Response EAP Auth Request EAP Auth Response EAP-Success EAP Identity Response

    Authentication Server

    EAP Auth Request


    EAP Auth Response EAP-Success

    Authentication traffic

    Port Status:
    Normal Data

    13

    Wireless LAN Security

    14

    Introduction

    802.11 standard specifies the operating parameters of wireless local area networks (WLAN)

    History: 802.11, b, a, g, i

    Minimal security in early versions Original architecture not well suited for modern security needs 802.11i attempts to address security issues with WLANs
    15

    802.11b

    Wired Equivalent Privacy (WEP)

    Confidentiality

    Encryption

    40-bit keys (increased to 104-bit by WEP2) Based on RC4 algorithm

    Access Control

    Shared key authentication + Encryption Integrity checksum computed for all messages

    Data Integrity

    16

    802.11b

    Vulnerabilities in WEP

    Poorly implemented encryption

    Key reuse, small keys, no keyed MIC

    Weak authentication No key management No interception detection

    17

    802.11b

    Successful attacks on 802.11b


    Key recovery - AirSnort Man-in-the-middle Denial of service Authentication forging Known plaintext Known ciphertext

    18

    802.11i

    Security Specifications

    Improved Encryption

    CCMP (AES), TKIP, WRAP

    2-way authentication Key management Ad-hoc network support Improved security architecture

    19

    802.11i Authentication

    Source: Cam-Winget, Moore, Stanley and Walker

    20

    802.11 Encryption

    Source: Cam-Winget, Moore, Stanley and Walker

    21

    802.11i Potential Weaknesses

    Hardware requirements

    Hardware upgrade needed for AES support

    Strength of TKIP and Wrap questionable in the long term

    Authentication server needed for 2-way authentication The more complex a system is, the more likely it may contain an undetected backdoor

    Complexity

    Patchwork nature of fixing 802.11b


    22

    No Control over WLAN?

    Often you want to connect to a wireless LAN over which you have no control Options:

    If you can, connect securely (WPA2, 802.11i, etc.) If unsecured, connect to your secure systems securely:

    VPN Virtual Private Network SSL connections to secure systems

    Be careful not to expose passwords Watch for direct attacks on untrusted networks 23

    WLAN Security - Going Forward

    802.11i appears to be a significant improvement over 802.11b from a security standpoint Vendors are nervous about implementing 802.11i protocols due to how quickly WEP was compromised after its release Only time will tell how effective 802.11i actually will be Wireless networks will not be completely secure until the standards that specify them are designed from the beginning with security in mind
    24

    Summary

    Wireless LAN Security is not independent of the greater network security and system security Threats to the Wireless LAN are largely in terms of being available and in providing a means to attack systems on the network

    That is, not many folks attack routers (yet)


    25

    References

    ftp://ftp.prenhall.com/pub/esm/web_marketing /ptr/pfleeger/ch07.pdf - Charles & Shari Pfleegers chapter on network security http://www.gocsi.com/forms/fbi/pdf.jhtml - To request the Computer Security Institute/FBI yearly survey results (widely referenced)

    26

    You might also like