Post on 18-Nov-2014
description
ASSEMBLING A SECURE 802.11 WIRELESSASSEMBLING A SECURE 802.11 WIRELESSNETWORKNETWORK
Joerg Fritsch, NATO C3 AgencyJoerg Fritsch, NATO C3 Agency
RSA Conference 2005, 18 Oct, 2pm, Austria Center Vienna
Session learning objectives
• Understand the meaning of NIST recommendations and ‘FIPS’
compliance.
• Introduce the building blocks of a secure 802.11 wireless
network.
• Visualize aspects of site survey, planning and roll out of a secure
wireless network.
• Discriminate between ‘WLAN compatible’ and ‘security
compatible’ equipment.
• Know why this is important for your future plans
What is “NIST compliant” WLAN ?
• U.S. NIST = National Institute ofStandards and Technology
• NIST WLAN = 56recommendationshttp://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
• last updated in November 2002,but still pretty much up-to-dateand relevant to implementers
• mainly standards which were (atthat time) still in the draft stage
• rumor about proposed updatesince beginning 2005http://www.findarticles.com/p/articles/mi_qa3649/is_200501/ai_n9468284
• NIST makes recommendations,not law, not recipes
“NIST compliant” = new standards, (i.e. bebrave…)
• Network authentication
— 802.1x
— EAP, EAP-FAST
— LEAP etc.
• Temporal key management
— WPA, WPAv2
• Ciphers
— AES
— TKIP
What are the building blocks?
• Users (fixed, or mobile)
• Access points
• Authentication (this is new, compared to traditional WLAN)
• Confidentiality
— Link encryption by APs
— IPSec overlay (fully FIPS compliant WLANs, - this is also a new idea)
• Monitoring and logging
• Physical Security of the APs
What about FIPS compliance ?
• (U.S) Federal Information Processing Standard
• “Mandatory” feature that equipment bought by the government
must support
• Currently there are no FIPS compliant wireless access points
• Be careful! Some vendors advertise this, but they really mean a
combination of AP and VPN
• FIPS 140-2 compliance always generated by some sort of VPN
concentrator (at our site Cisco VPN 3K)
IPSEC overlay:Fully NIST and FIPS compliant WLANs
Advantages
• Fully “NIST compliant”
• Common vulnerabilities (i.e.
during association of the WLAN
client) do not fire.
• Increases security and
interoperability
• Integrates well with strong
authentication
Disadvantages
• Industry's efforts are aiming for
integrated wireless networks
! you cut the link between you
and the rest of the world
• VPN Client required (compatibility,
interoperability!)
• Single Sign On is hard to achieve
There are 2 ways to assemble the buildingblocks: WLAN collocated with LAN
• We prefer this implementation
framework because
• SSO for all WLAN Clients
• Additional Software (VPN Client)
optional
• All private network services
available for WLAN Clients
— File and Print services
— VLAN segmentation
— VoIP
There are two ways to assemble the buildingblocks: WLAN segregated from LAN
• Additional security
• Integrates best with
— IPSEC overlay
— Server based computing
• WLAN itself still needs to be
secured
• Firewall policy easily will become
permissive if not implemented in
conjunction with IPSEC overlay or
server based computing
Planning of a NIST compliant WLAN net
• All the stuff for a regular installation
— Site Survey Tools
• RF propagation Software
• Antennas, Cards & GPS
• Floor Plans
— Site Survey
• Selection of cell size and antennas
• General positioning indoor/outdoor
— Recommendations on physical security vs shielding & interference
• … plus physical security of the APs (manipulation, theft)
• … this can make your life much, much harder
Rolling out a NIST-compliant WLAN net(Here’s what we did at NC3A)
• Our design goals
• Our security goals
• Our implementation plan
• What we bought and our experience of implementing it
• What we have learned (so far…)
— How it fits with our existing hard- and software
(If it’s only 6 months old, can you call it “legacy” ???)
— Risk evaluation !!!!!!!
Primary Design Goals
• Following the U.S. NIST security guidelines for governmental use
— Not required in NATO as yet, but probably a “best practice”
• Building a network that
— provides an acceptable privacy for a NATO UNCLASSIFIED network
— is not too difficult to implement
— Can teach us about future, higher security WLAN nets
• New features supportable on our existing hardware
• Preserving the advantages of a traditional WLAN
— Mobility
— user friendly
— low administrative overhead
Security Goals
• Do the best we can do (remember, it’s NATO UNCLASSIFIED)
• Do not cut the link between us and the rest of the world
• Mitigate known risks
• Imagine the unknown risks
• Know who is on our network (and who might try to sneak in)
• Understand what we are doing, and why
• Visualize the new network perimeter
We live in a simple security environment(not everyone is so lucky)
We can place APs in
corridors where they
are visible and
accessible
Fitting the APs to the Physical Building
We find that even simple RF
propagation models are quite effective
and realistic …
But you need to have good physical
building plans
What we bought
• Authentication:
— Funk “Steel Belted Radius” Server
— Microsoft Windows Domain Controller
• Access points: Cisco 1200 Access Points
• Antennas: 2dBi omni directional, ceiling mountable
• Confidentiality:
— WPA/TKIP or WPAv2/AES through Cisco IOS on APs
— FIPS-compliant Cisco VPN 3000 is used alternatively
• Monitoring and Logging: OpenSystems Envision HA
What we bought (continued)
• Cisco 6509 Wireless Service Module
— Centralized management of APs
— Achieve roaming qualities good enough for 802.11g telephones
• Clients: Disable Windows Zero Configuration Utility
— Several Vendor (Laptop) Client Utilities in use
• Atheros, IBM, Dell TrueMobile, Cisco all work for us
• Meanwhile long list of “Cisco Compatible Client Devices”
published (this was not there when we started …)http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
• No security compatible wireless Print Servers available
— Lowest common denominator: WPA-PSK
— Print Servers segregated from LAN
Problems we had during installation(and how we solved them)
• New wireless networks require a lot of new wires to be pulledthroughout the building
— We rejected “wireless, wireless” approach to get more useable
bandwidth throughout the building
• Changed our minds several times on authentication
— Cisco LEAP, PEAP/Microsoft CHAPv2, EAP-TLS
— Settled on LEAP (straight forward implementation, easy
reauthentication through cached credentials)
• New equipment first available with FCC certification, then re-configured for non-US channel schemes
— We started with US-legal equipment for testing, prototyping, then
waited for “street-legal” European models
Lessons Learned
• Do not compare a corporate WLAN to your living room WLAN
— corporate WLANs can use: authentication, VLAN Tagging, multiple SSIDs, fast
roaming, positioning engines
• WiFi compatible is not security compatible
— “WiFi certified” = interoperability of equipment on an unprotected HotSpot
• Secure WLANs needs excellent signal stability; - i.e. FCC-approved equipment
not good enough for a secure ETSI WLAN
— FCC client adapters get de-authenticated frequently w/o any obvious reason
• Expect incompatibilities even within the product lines of a single vendor
— problems and fixed bugs sometimes reappear after a firmware upgrade
(i.e. de-authentication at high network load or when USB devices are (dis)connected)
• Even reasonably-priced RF propagation models turned out to be very accurate
— EKAHAU Site Survey, ESS
So what? Why is this useful to you?
• NIST-compliant WLAN an “interesting” technology
• It’s not super-secure but it attempts to go a significant step beyond
commercial “best practice”
• It is not influenced by any vendor, or any network philosophy
• Since we must live with WLAN, this is a way to sleep easily at night
• By forcing considering of AP physical security, it may also force an
evaluation of other physical security issues. This is good.
• (left as an exercise for the student)
Questions & Answers
Thank you for your attention
joerg.fritsch@nc3a.nato.int
If you were in “their” shoes: What you need toattack WLANs
• NO Pringles Antenna!
• Educated guesses
• Time !!! – If they are not carried out in a staged or protected labenvironment most attacks need time
• Wireless network sniffers and analyzers
— Kismet, http://www/kismetwireless.net
— Netstumbler, http://www.netstumbler.org
— Airopeek, http://www.airopeek.com
• Tools to decrypt WEP Keys
— Airsnort, http://airsnort.shmoo.com
— Weplab, http://weplab.sourceforge.net
— Chochop
If you were in “their” shoes: What you need toattack WLANs (continued)
• WPA disassociation/de-authentication Attacks
— Airforge (re-inject packets – such as de-authentication packets),
http://new.remote-exploit.org
• Attacks on the LEAP authentication
— Asleap, http://asleap.sourceforge.net
• WPA PSK brut force attacks
— Cowpatty, http://sourceforge.net/projects/cowpatty
• Attacks on the Wireless Client
— Airpwn, http://airpwn.sourceforge.net
— Hotspotter, http://new.remote-exploit.org