1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to...
-
Upload
raul-broadley -
Category
Documents
-
view
216 -
download
0
Transcript of 1 Copyright © 2005, Cisco Systems, Inc. All rights reserved. Applying Security Principles to...
1Copyright © 2005, Cisco Systems, Inc. All rights reserved.
Applying Security Principles to Networking Applications
Mark [email protected]
Dec 08, 2005
222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
What is Security in Computer Development Projects
• What are you protecting
• Why are you protecting it
• From whom are you protecting it
• How are you going to protect it
• What is the cost of protecting it
333Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wired Access Topology
V V
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
444Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Topology
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
555Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Topology
Internet
Access Device
Local Area Network (LAN)
Wide Area Network (WAN)
666Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Wireless Access Security Complication
• Physical Access to Local Area Network no longer exists
– Anyone can intercept your conversations
– Anyone can utilize your network resources
777Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Security Solution For Wireless Access
• Authentication
• Encryption
888Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Typical Solution for Wireless Access
Internet
1) Where is Access Point
“MyAP”
2) I am here. Prove you know my secret
999Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Typical Solution for Wireless Access
Internet
3) Here is my proof
4) OK. Here are session keys
101010Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
So Whats The Problem?
• Wireless Access is a huge Consumer Market
• People are beoming concerned with Wireless Security
• My GrandMother cant use it
111111Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
What Can We Do To Help
• Make it easy for Grandma to set up Wireless Security
121212Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 1. Configure Security Parameters Automatically
Internet
When Access Point is booted 1st time:Configures Random Secure SSID
Configures Random WPA Shared Secret
Waits for Wireless Association on Secure SSID
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
131313Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2.
• How Can We Transfer Security Parameters Securely?
141414Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
SSID: Well Known SSID
Open Authentication
1) W
here i
s my A
cces
s
Point “
Well
Known S
SID”
2) H
ere
I am
. Com
e on in
151515Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
SSID: Well Known SSID
Open Authentication 3)
Give
me S
ecurit
y
Param
eter
s
4) H
ere
They A
re
161616Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
1) W
here i
s my A
cces
s
Point “
r@ndOm
55ID
”
2) I
am h
ere.
Pro
ve y
ou know m
y se
cret
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
171717Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One
3) H
ere i
s my p
roof
4) O
K. Her
e ar
e se
ssio
n key
s
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
181818Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
1) Where is my Access
Point “Well Known SSID”
2) Here I am. Come on in
191919Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
3) Give me Security
Parameters
4) Here they are
202020Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
• What Authentication is possible given constraints
– something we know
– something we have
– something we are
– something we do
• If we can’t be sure, at least be safe
212121Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
Wher
e is m
y Acc
ess
Point “
Well
Known S
SID”
Here
I am
. Com
e on in
Where is m
y
Access Point “Well
Known SSID”
Here I am. Com
e on in
222222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
1) G
ive M
e Sec
urity
Param
eter
s
Hang o
n a s
ec
Give Me Security
Parameters
Unable to guarantee unique access
Access to all denied
232323Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Step 2. Trial 2 Attack
• Attacker just Associates and Listens
242424Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Trial 3.
• Use Trial 2 Method for Authentication
• Use SSL for Encryption
252525Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
So Whats The Problem with IPSec?
• Network Protection is a huge Consumer Market
• People are beoming concerned with Security and look to IPSec for help
• My GrandMother cant use it
262626Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
Network Address Translation
Internet
Local Area Network (LAN)
Wide Area Network (WAN)
192.168.1.100
192.168.1.100
192.168.1.101
192.168.1.101
172.204.19.32
62.2.12.17
272727Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
The RoadWarrior IPSec Problem
• With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication
• Mobility and NAT make it hard to predict the IP Address
282828Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795
RoadWarrior Solution
2. Client configuredWeb Install client software
Configure address of Home Gateway
3. Client software connectsLogs on to HTTPS
Initiates the IPSec VPN
1. Gateway configuredSSL Username, password
4. Gateway acceptsAuthenticates Client by password
Figures out current Client IP Address
Provisions IPSec for Client IP Address
Joins Client to Protected Network using IPSec VPN
HomeGateway
Internet
Pro
tected
Netw
ork
IPSec VPN Tunnel
HTTPS
Road Warrior Client
292929Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795