How can you bring Trust and Security - Cisco · Trust and Security to Wireless LAN solutions? 2...
Transcript of How can you bring Trust and Security - Cisco · Trust and Security to Wireless LAN solutions? 2...
1
How can you bring
Trust and Security to Wireless LAN solutions?
2
Today’s Topics
èEntrust Introduction
èCisco and Entrust Relationship
èBrief overview of the 802.11btechnology/security
èTop vulnerabilities, analysis and attack tools
èEntrust & Cisco – delivering a Secure WirelessLAN
èQ & A
3
Relied on to Secure an Internet World
è First mover in Internet security:– PKI (1994)– PMI - Portal Access (1997)– Wireless (1999)– Enhanced Internet Security (2001)
è 90+ patents granted or pending
è #1 market share in PKI software globally*
è Top 3 in Authorization globally*
Broadest Portfolio in the Industry
*Source: IDC, Gartner / Dataquest
4
è Enforcing Privacy ofTransaction Information
Privacy
è Ensuring Transactions areBinding and Auditable
Verification
è Providing Personalized Accessand Authorization toTransactions
Entitlements
è Protecting and AuthenticatingIdentity used in Transactions
Identification
Trusted Transactions Require…Enhanced Security Services
… andSecurity Management
5
Security Management
è Security Management focuses on themanagement and use of a Digital Identitythroughout its entire lifecycle
Digital ID Registration &Certification
Digital ID Usage &Validation
Digital IDExpiration &
History
6
Broad Range of Solutionsè Entrust has worked with industry leaders to integrate
enhanced security services and deliver solutions thatenable business return
Security Management
Iden
tific
atio
n
Entit
lem
ents
Priv
acy
Verif
icat
ion
Secure DesktopSecure Desktop
Secure MessagingSecure Messaging
Secure VPNSecure VPN& WLAN& WLAN
Secure Web PortalSecure Web Portal
Secure E-FormsSecure E-Forms
Secure ERPSecure ERP
7
Cisco & Entrust Relationshipè Partnered to deploy highly secure VPN and
WLAN environments
è Combine enhanced security from Entrust w/Cisco VPN/WLAN products• Use Entrust PKI & certificates for IPSec authentication
è Product integration:• Cisco provides VPN/WLAN software & hardware
• Entrust provides PKI & certificate management software
èProduct interoperability
8
Enhanced Security + 802.11b
John PavelichSenior Security Architect
Entrust
9
WLAN Vendor Ratings
(From “Wireless LAN Vendor Evaluation and Magic Quadrant,” 24 January 2002)
10
Benefits of Wireless
WLAN userin boardroom
User accessingpublic WLAN Corporate
Resources
Internet
Users accessingWLAN from
another building
Productivity Gains• access to real time
information anywhere• users stay connected
longer
Increased Flexibility• go where wire cannot• access to all corporate
resources anytime,anywhere
Cost Effective• versus dedicated lines• great ROI• low TCO
11
è End users stayedconnected an average of1¾ hours more per day totheir corporate network
è Average daily timesavings:70 minutes
è Productivity: +22%
NOP Study –Wireless LANs Increase Productivity
Source: NOP World-Technology, Sept. 2001
Based on a survey of 300+ U.S.-based organizations with morethan 100 employees:
12
Wireless LAN Technologies
802.11b802.11b 802.11a802.11a 802.11g802.11g
2.4 GHz2.4 GHz 5 GHz5 GHz 2.4 GHz2.4 GHz
WorldwideWorldwide US/APUS/AP WorldwideWorldwide
11 Mbps11 Mbps 54 Mbps 54 Mbps 54 Mbps54 Mbps
FrequencyBand
Availability
MaximumData Rate
Source: Entrust & Cisco; Securing the Enterprise WLAN Webinar,July 2002
131 2 3 4 5 6
FREQUENCY (GHz)
300MHz
5 GHzUnlicensed National Information
Infrastructure (U-NII) band
8 non-overlappingchannels
26MHz
900 MHz
OlderDevices
Frequency Bands
83MHz
2.4 GHzIndustrial, Scientific
& Medical (ISM) band
11 frequency channels(3 non-overlapping)
14
Existing Wired LAN
WLAN RFCoverage Zones
Basic WLAN Architecture
Ad HocNetwork LAN
Remote Wired Infrastructure
AP acts asLAN Bridge
STA
APInfrastructureNetwork
Rogue Access ?Rogue Access ?
15
WLAN Trends
èCost of wireless technology decreasing
èUse is rapidly increasing ~ 73%expected growth this year
èEntering more ‘sensitive’ operationalenvironments
èTraining, certification and ‘good’information is limited
èInformation overload!
16
Default setups: Work well, but are not secure
(Some) WLAN Security Issues
Newness: Confusion, lots of attacks and variants
Policy: Monitoring, updating and enforcement
Safeguards: Poorly architected/implemented
New Attacks: Radio protocol attacks are nasty (ECM)
RF Propagation: Extends network environment beyond the walls
Rogue APs: Impact security of wired network
AP Technology: Many flawed implementations
WEP: Broken at any key length
17
Intruder/Safeguard Cycle
VulnerabilityDiscovery
Crude Tools Appear
Hackers ExploitCrude Tools
Automated ScanningTools
Widespread Use
Intruders move to newer, more interesting exploits
Time1999
Survey Scripts
RSA ‘01
KismetWellenreiterNetstumblerWEP CrackAir Jack
Jul ‘01
Safeguards Mature, Attackers move on Legacy Systems Still Vulnerable!
Better Safeguards Appear
Basic SafeguardsInherent in Technology
We are HereToday
Hackers Continually Optimize Attacks
18
“Border guards”
WebServers
Directory/Database
AppServers
Enterprise or Government OrganizationEmployeesSuppliersCustomers
Border security productsdo not enable
trusted transactions
SSL
Typical Security Environment
19
“Border guards”
WebServers
Directory/Database
AppServers
Enterprise or Government OrganizationEmployeesSuppliersCustomers
Border security productsdo not enable
trusted transactions
SSL
By Default,Wireless Breaches the Perimeter!
20
Typical Attacks
Honey Pot experience: Opportunity attacks
AirJack engine: Client, MITM and DoS attacksAP port and protocol scanning and probingPassive network scans on wireless side ~ Kismet
WEP ~ Passive attacks (AirSnort) getting betterPublicized vulnerabilities ~ War Chalking
NetStumbler + Utilities ~ War Driving ‘Cultism’
21
Textbook radiationpatterns of the APisotropic monopoleantenna
Security With Antennas?
Dispelling Misinformation
22
Engineering Theory
‘Experts’ say youcan ‘place theantenna’ to get‘better security’and ‘control theperimeter’
23
Reality
Indoor Propagation in a Typical Crowded Office Building:•Reflections•Re-Radiation•Attenuation•Un-intentional wave guide structures•Not a ‘perfect’ environment
Elevator or
Utility Shaft
Access Point
WLAN Station
24
Reality in Practice
There are limitsto what you can
achieve withdirectional
antennas, sitesurveys are
needed if localphysical
environmentrequires it
25
Each ~6dbimprovementat 2.4 GHzdoubles yourinterceptrange
Why Reality is Important
26
Typical 2.4 GHz WLAN AP has mono-pole antennas with 0dBi gain.
A Low Profile patch antenna can provide 8 dBi gain at 2.4 GHz and costsabout $65 US
Add Some Antenna Gain
27
~12 dB gain,+/- 5000 calorieYagi antenna$6.45
28
The Result is Effective War Driving
Using network and wireless hacking tools hecan get on the network from the wireless sideand mount other attacks
The War Driver is really doing a survey ofAP’s with bad default settings
Un-Protected WLANs are proliferatingproviding a ‘target rich’ environment for theattacker
29
War Driver’s Results
Has your building been chalked?
30
How to Assess YourSusceptibility to War Driving
Some ‘Experts’say you shoulduse anAgilent SpectrumAnalyzer~ $50,000
31
Or Netstumbler
Free!
32
Or Kismet (Also Free)
33
Kismet on Trinux+
Pentium Laptop+
Orinoco Wireless Card
Even Simpler
= Wireless Network Assessment made easy
34
Safeguards AgainstWar Drivers, Script Kiddies and
OpportunistsChange the defaults!
è Enable WEP
è Change the default SSID
è Disable “Broadcast SSID".
è Change the default password on the AP
è Control access based on the MAC address of the NIC
è Turn off DHCP, and change the default IP subnet
è Periodically survey your site
35
Customer1234 West
Pender Street
N
S
EW
Signal StrengthG P S
Signal StrengthG P S
Signal StrengthG P S
West PenderSt reet
Bu
rard
Stre
et
Car ParkadePublic Coffee
House23 Water
Street
Restaurant1238 West
Pender Street
Signal StrengthG P S
Water Street
Site-SurveysDo a Defensive WLAN Recon
Assess your coverage (kismet) and know yourneighbor’s channels
36
1
11
11
11
6
66
1
If your neighbor is onChannel 11, pick 1 or 6for your network
802.11bChannels Overlap
37
Building Name1234 West Pender Street
N
S
EW
Wireless Signal Strength
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
Signal StrengthGPS
West Pender Street
Bu
rardS
treet
Conduct aBuilding Wireless Survey
Link your coverage to your operational requirement
38
And Other Attacks?
èPassive attacks against WEP aregetting better and are slowly beingmerged with passive WLAN monitoringtools
èAP port and protocol scanning andprobing
èAirJack Engine: Client, MITM and DoSattacks
39
“In order to carry out the attack, the cryptanalyst needs thefirst output word of a large number RC4 streams along withthe IV that was used to generate each one of them.”
“Since in WEP, the IVs are transmitted in the clear, and thefirst message word in most packets is a known constantthese requirements are satisfied. Optimizations of theattack have lead to deduction of a 128 bit RC4 key in 15minutes from an actual network.”
RSA LaboratoriesVolume 5, No. 2, Summer / Fall 2002
Improved Attacks on RC4 (WEP)
40
AirJack Attacks Network Layers
41
The Bottom Layers
42
Management Frames
èManagement frames control linkcharacteristics and physical mediumproperties
è 802.11b management frames are NOTNOTauthenticated
è This allows radio protocol attacks
è All you need is some extra RF power and youcan ‘capture’ the victim’s radio receiver andfeed it whatever protocol you want
43
Attacks – WLAN-Jack
èDenial of Service – De-Authentication
– Use MAC address of Access Point
– Send de-authenticate frames
• Send continuously
• Client is forced to re-associate and re-authenticate (longer)
• Attacker uses lots of power, ‘pumps’ the victim’s receiver toslow it’s response time
– Users are unable to re-associate with valid AP
èAir-Jack + WLAN-Jack
44
Attacks – WLAN-Jack
This is your connection
45
Attacks – WLAN-Jack
This is your connectionduring a WLAN-Jack attack
46
Attacks – Monkey-JackèMITM Attack
– Taking over connections at layer 1 and 2
– Insert attack machine between victim and AP
– Attack the client or the network
è Insert False Management Frames on the RFChannel (Power and antenna)
– This forces de-authentication of the victim from the real AP
• Send de-authenticate frames to the victim using the access point’sMAC address as the source
– Victim’s 802.11 card scans channels to search for new AP
47
Attacks – Monkey-Jackè Victim’s 802.11 card associates with fake AP on
the attack machine
– Fake AP is on a different channel than the real one
– Attack machine’s fake AP is duplicating MAC addressand ESSID of real AP
– You can attack the victim, scan his hard drive, send hima Trojan horse, etc, etc.
– Attack machine may optionally associate with real AP
– Attack machine duplicates MAC address of the victim’smachine.
48
Attacks – Monkey-Jack
è Attack machine is now inserted and can passframes through in a manner that istransparent to the upper level protocols
èWireless networks are more vulnerable toMITM attacks than wired networks.
èMany security solutions are implemented withan assumption of a secure layer 1 and 2
èMany VPN solutions are implemented withinadequate authentication for protectionagainst wireless MITM attacks.
49
Before Monkey-JackBefore Monkey-Jack
50
After Monkey-JackAfter Monkey-Jack
51
What do we do now?
How can you bring
Trust and Security to WLAN?
52
Assess YourSecurity Requirements
ü Analyze your environmentü Analyze your environment
SecuritySecurity = =Knowledge + Strong Authentication + Encryption +Knowledge + Strong Authentication + Encryption +
Monitoring + the Other Layers of the OnionMonitoring + the Other Layers of the Onion
ü Determine your wireless
security profile ….
ü Determine your wireless
security profile ….
ü Perform your risk assessmentü Perform your risk assessment
53
CiscoAdvantages in GoC Environment
Unlike other vendors CiscoAccess Points can be
‘Hardened’ against attack
54
Cisco AP Allows for Filtering
55
Cisco AdvantagesGoC Environment
Cisco VPN Client/Gateway technology is ‘Best inClass’ for WLAN Applications
üStrong encryption, True IPSec VPN
üAuto-initiate VPN tunnel for WLAN connections
üForce ‘Disable Split Tunneling’
üStateful Inspection Firewall Client AND Gateway
üForced Virus scanning
üStrong, certificate based authentication using GoC PKI(Entrust) certificates
üSecurity Hardware and Software from a ‘Mature’ vendor
56
Cisco VPNGateway Forces a Client Policy
57
GoC PKI
GoC PKIProvides Security Infrastructure
Directory CertificationAuthority
58
Security Frameworks
Backend AAA infrastructureBackend AAA infrastructure
Third party EAP-Radius, etc.Third party EAP-Radius, etc.
TLSTLS PEAPPEAP
VPN
MethodLayer
EAP
Layer
EAPLayer
APIs
NDIS
MediaAPIs
LEAPLEAP
EAP
PKI
802.11802.11
GoC PKI+ VPN
Desktop
Encryption
Source: Entrust & Cisco; Securing the Enterprise WLAN Webinar, July2002
59
Cisco‘Hardened’ APwith IPSecfiltering
Enterprise
Securing WLAN: Cisco + Entrust
CiscoWLAN user withVPN ClientGoC CertificateDesktop Tools
Directory CertificationAuthorityCisco
VPN 3000Gateway
60
Enhanced Security is RequiredWhen Using WLAN Technology!
Leverage the GoC PKI:Enhanced Security isneeded to Strongly Identifyusers and devices and toprotect client data
61
Summary
Cisco WLAN +
Cisco VPN +
GoC PKI (Entrust) =
Trusted WLAN transactions andprotected client
Achieving the benefits of WLAN requiresconfidence that the same level of privacy & trustis maintained in the wireless world as in thewired world!
62
For more information
http://www.entrust.com/wlan
Thank You!
Questions & Answers