Post on 21-Dec-2015
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1
Security
Olga Torstensson
Halmstad University
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-2
Key terms
• WEP• TKIP• MIC• EAP• 802.1X• WPA• CCKM• RADIUS• SSH• Encryption
•RSA RC4 (WEP)•DES, 3DES, AES
• Cipher• BKR
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-3
Advanced Security Terms
• WEP – Wired Equivalent Privacy
• EAP – Extensible Authentication Protocol
• TKIP – Temporal Key Integrity Protocol
• CKIP – Cisco Key Integrity Protocol
• CMIC – Cisco Message Integrity Check
• Broadcast Key Rotation – Group Key Update
• WPA – Wi-Fi Protected Access (WPA)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-4
Security Fundamentals
Balancing Security and Access
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-5
Vulnerabilities
•Technology– TCP/IP– WEP and Broadcast SSID– Association Process– Wireless Interference
•Configuration– Default passwords– Unneeded Services enabled– Few or no filters– Poor device maintenance
•Policy– Weak Security Policy– No Security Policy– Poorly enforced Policy– Physical Access– Poor or no monitoring
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-6
Threats
•Internal
•External
•Structured
•Unstructured
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-7
The Security Attack—Recon and Access
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-8
The Security Attacks—DoS
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-9
WLAN Security Wheel
Always have a good WLAN Security Policy in place. Secure the network based on the policy
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-10
WLAN Security Considerations
Authentication – only authorized users and devices should be allowed.
Encryption – traffic should be protected from unauthorized access.
Administration Security – only authorized users should be able to access and configure the AP configuration interfaces.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-11
Common Protocols which use Encryption
When using a public network such as a WLAN, FTP, HTTP, POP3, and SMTP are insecure and should be avoided whenever possible. Utilize protocols with encryption.
TrafficTraffic No Encryption
No Encryption
EncryptionEncryption
Web BrowsingWeb Browsing HTTPS *HTTPS *HTTPHTTP
File TransferFile Transfer TFTP or FTPTFTP or FTP SCPSCP
EmailEmail
Remote MgmtRemote Mgmt
POP3 or SMTPPOP3 or SMTP SPOP3 *SPOP3 *
TelnetTelnet SSHSSH
* SSL/TLS
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-12
WLAN Security Hierarchy
VirtualPrivate
Network (VPN)
No Encryption, Basic Authentication
Public “Hotspots”
Open Access 40-bit or 128-bitStatic WEP Encryption
Home Use
Basic Security 802.1x,TKIP/WPA Encryption,Mutual Authentication,
Scalable Key Mgmt., etc.
Business
Enhanced Security
Remote Access
Business Traveler,
Telecommuter
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-13
Basic WLAN Security
Admin Authentication on AP To prevent unauthorized access to the AP
configuration interfaces:
•Configure a secret password for the privileged mode access. (good)
•Configure local usernames/passwords. (better)
•Configure AP to utilize a security server for user access. (best)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-14
User Manager
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-15
Admin Access CLI View
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-16
Console Password
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-17
SSID Manager
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-18
SSID Manager (cont)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-19
Global SSID Properties
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-20
SSID CLI View
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-21
WEP
WEP is a key.
WEP scrambles communications between AP and client.
AP and client must use same WEP keys.
WEP keys encrypt unicast and multicast.
WEP is easily attacked
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-22
Supported Devices
What can be a client?•Client
•Non-Root bridge
•Repeater access point
•Workgroup Bridge
Authenticator?•Root access point
•Root bridge
?
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-23
Enabling LEAP on the Client
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-24
Configuring LEAP on the Client
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-25
WEP Encryption Keys
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-26
Enterprise WLAN AuthenticationAuthentication Types
• Open Authentication to the Access Point
• Shared Key Authentication to the Access Point
• EAP Authentication to the Network
• MAC Address Authentication to the Network
• Combining MAC-Based, EAP, and Open Authentication
• Using CCKM for Authenticated Clients
• Using WPA Key Management
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-27
WLAN Security:802.1X Authentication
Mutual Authentication
EAP-TLS•EAP-Transport Layer Security•Mutual Authentication implementation•Used in WPA interoperability testing
LEAP•“Lightweight” EAP•Nearly all major OS’s supported:–WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS
PEAP•“Protected” EAP•Uses certificates or One Time Passwords (OTP)•Supported by Cisco, Microsoft, & RSA•GTC (Cisco) & MSCHAPv2 (Microsoft) versions
Client
APRadiusServer
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-28
EAP
Extensible Authentication Protocol (802.1x authentication)
Provides dynamic WEP keys to user devices.
Dynamic is more secure, since it changes.
Harder for intruders to hack…by the time they have performed the calculation to learn the key, they key has changed!
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-29
Basic RADIUS Topology
RADIUS can be implemented:
• Locally on an IOS AP
• Up to 50 users
• On a ACS Server
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-30
Local Radius Server
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-31
Local Radius Server Statistics
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-32
Radius Server User Groups
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-33
ACS Server Options
Cisco Secure ACS Software
Cisco ACS Solution Engine
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-34
Backup Security Server Manager
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-35
Global Server Properties
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-36
Enterprise Encryption WPA
Interoperable, Enterprise-Class Security
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-37
Cipher “Suite”
Cipher suites are sets of encryption and integrity algorithms.
Suites provide protection of WEP and allow use of authenticated key management.
Suites with TKIP provide best security.
Must use a cipher suite to enable:•WPA – Wi-Fi Protected Access
•CCKM – Cisco Centralized Key Management
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-38
Configuring the Suite
Create WEP keys
Enable Cipher “Suite” and WEP
Configure Broadcast Key Rotation
Follow the Rules
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-39
WEP Key Restrictions
Security Configuration WEP Restriction
CCKM or WPA key mgt. No WEP in slot 1
LEAP or EAP No WEP in slot 4
40-bit WEP No 128-bit key
128-bit WEP No 40-bit key
TKIP No WEP keys
TKIP and 40 or 128 WEP No WEP in slot 1 and 4
Static WEP w/MIC or CMIC
WEP and slots must match on AP & client
Broadcast key rotation Keys in slots 2 & 3 overwritten
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-40
Security Levels
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-41
Enterprise WLAN Security Evolution
TKIP/WPA•Successor to WEP
•Cisco’s pre-standard TKIP has been shipping since Dec.’01
•Cisco introduced TKIP into 802.11i committee
•802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA)
•WPA software upgrade now available for AP1100 & AP1200
AES•The “Gold Standard” of encryption
•AES is part of 802.11i standard–- AES will be part of WPA2 standard (expected in 2004)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-42
Encryption Modes
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-43
Encryption Global Properties
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-44
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-45
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-46
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-47
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-48
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-49
Matching Client to AP
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-50
Advanced Security: MAC Authentication
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-51
Adv. Security: EAP Authentication
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-52
Adv. Security: Timers
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-53
VLANs
Configuring your access point to support VLANs is a three-step process:
Assign SSIDs to VLANs.
Assign authentication settings to SSIDs.
Enable the VLAN on the radio and Ethernet ports.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-54
Using VLANs for Security
SSID: dataSecurity: PEAP + AES
802.1Q wired network w/ VLANs
SSID: visitorSecurity: None
AP Channel: 6SSID “data” = VLAN 1SSID “voice” = VLAN 2 SSID “visitor” = VLAN 3
SSID: voiceSecurity: LEAP + WPA