Pietrosemoli, ICTP, Feb 03 WLAN SECURITY and other 802 protocols.

Pietrosemoli, ICTP, Feb 03

WLAN SECURITY and other 802 protocols


Addenda to the basic 802.11 protocol

• 802.11 a, b,

• 802.11 e

• 802.11 d

• 802.11 g

• 802.11 h

• 802.11 i

• 802.1 x


802.11 radios transmit and without getting appropriate feedback, halt and retransmit.

802.11h overlays 802.11a to solve both interference and overuse problems, as well as improve coexistence with

other specs that might reside on the same band. The h spec requires devices to check whether given frequencies

are in use before transmitting (Dynamic Frequency Selection or DFS), as well as only transmitting at the minimum

necessary power level (Transmit Power Control or TPC).

Task Group H: Spectrum Managed 802.11a


These additions were formulated specifically to meet requirements for using the 5 GHz band in the European

Union, which has been promoting its own specification called HiperLAN2

There's a chance for spillover of h into other standards like b and g, of course, to improve their responsiveness

Task Group H: Spectrum Managed 802.11a


Task Group E: Quality of Service

• Every packet has an equal chance of getting through in 802.11b. Task Group E wants to change that, allowing for what's known as "quality of service" or QoS, to guarantee that some packets have more priority than others. This is a fairly tricky task, involving coordination between client radios, access points, and system administrators.

• QoS is needed for consistent voice-quality calls using VOIP (voice over IP) and for streaming multimedia.


Task Group I: Enhanced Security

• Originally, 802.11e covered both scheduling and security. With the constant release of weakness reports in the WEP (Wireless Equivalent Privacy) encryption system built into 802.11b, however, security popped into its own group, letter I.

• Task Group I has been working to find a replacement for WEP that, hopefully, would also have enough compatibility to be implemented without vastly revising the current generation of systems



The long-term goal of 802.11i, however, is to replace WEP. The failure in public confidence has the group looking at specifications that are at a much higher level of complexity but still computationally efficient enough to embed in lower-power, inexpensive devices, such as chipsets used for PC cards.



The failure of WEP resulted in the group dropping the name WEP2 for the new standard and replacing it with Temporal Key Integrity Protocol (TKIP), something which is much more descriptive: assuring that a key retains its security over a period of time .


Task Group 802.1x

Is developing a method of authenticating users through a back-end system in a secure fashion. Some weaknesses in the approach have already been discovered, unfortunately, as there is a lot of room for man-in-the-middle style interception


• Wireless LAN Security Issues Wireless LAN Security Issues

• Issue• • Wireless sniffer can view all WLAN data

packets• • Anyone in AP coverage area can get on

WLAN• 802.11 Solution• • Encrypt all data transmitted between client

and AP• • Without encryption key, user cannot

transmit or receive data


Limitations of 802.11 Security Limitations of 802.11 Security

• Shared, static WEP keys

No centralized key management

Poor protection from variety of security attacks

• No effective way to deal with lost or

stolen adapter

Possessor has access to network

Re-keying of all WLAN client devices is required

• Lack of integrated user administration

Need for separate user databases; no use of RADIUS

Potential to identify user only by device attribute like MAC

address


802.1X Authentication 802.1X Authentication Process


Require VPNs for WLAN Access? Require Ns for WLAN Access?

Pros

• Ensures 3DES encryption from client to concentrator

• Is in use at most shops

• Makes WLAN and remote access UIs consistent

•Supports central security management


Cons

• Client does encryption, decryption in software

• Requires VPN concentrators behind APs, increasing cost

• User must reinitialize VPN connection when roaming

between concentrators


802.1X

The IEEE 802.1X standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. The 802.1X specification includes a number of features aimed specifically at supporting the use of Port Access Control in IEEE 802.11 Wireless LANs (WLANs). These include the ability for a WLAN Access Point to distribute or obtain global key information to/from attached stations, following successful authentication.


Wireless LAN Analysis- tools• AiroPeek from WildPackets• Grasshopper from BV Systems• Mobile Manager from Wavelink• Sniffer Wireless from Network Associates• NetStumbler• AirSnort via the SourceForge

– AirSnort has been designed to break WEP encryption keys.– It operates by passively monitoring transmissions, and

when enough “interesting” packets have been gathered, usually over a 24 hour period, it can then calculate the WEP key.

.


Extensible Authentication Protocol (EAP)

The Extensible Authentication Protocol (EAP), specified in RFC 2284, is a method of conducting an authentication conversation between a Supplicant and an Authentication Server. Intermediate devices such as Access Points and proxy servers do not take part in the conversation. Their role is to relay EAP messages between the parties performing the authentication. The EAP messages are transported between a wireless station and an 802.1X Authenticator using EAPOL. The EAP messages are transported between an 802.1X Authenticator and the Authentication Server using RADIUS. The EAP framework supports the definition of Authentication Methods. Currently implemented EAP Authentication Methods include MD5, TLS, TTLS, PEAP, and Ciscos’s LEAP


Supplicant

The Supplicant is the client authentication software/firmware. It runs on the station seeking WLAN access and conducts an authentication conversation with the Authentication Server using EAP. Until authenticated, the Supplicant can only communicate with the Authentication Server.


Authenticator

An Authenticator performs port-based access control on a Network Access Server such as a Wireless Access Point. During authentication it relays EAP messages between the Supplicant and Authentication Server and discards all other traffic from the Supplicant. Once notified of successful authentication by the Authentication Server, the Authenticator establishes the session and provides network access to the Supplicant using any session keys provided by the Authentication Server.


Authentication Server

The Authentication Server provides authentication services to the Authenticator. The Authenticator and Authentication Server have a trusted (client/server) relationship over the secure (usually wired) portion of the network. The Authentication Server conducts an authentication conversation with the Supplicant using EAP. The Authentication Server authenticates the Supplicant based upon a user profile that can be maintained either locally or remotely. The Authentication Server may also perform authorization, collect accounting, and provide session keys to the Authenticator.


The WLAN access points can identify every wireless card ever manufactured by its unique Media Access Control (MAC)address that is burned into and printed on the card. Some WLANs require that the cards be registered before the wirelessservices can be used. The access point then identifies the card by the user, but this scenario is complex because every accesspoint needs to have access to this list. Even if it were implemented, it cannot account for hackers who use WLAN cards thatcan be loaded with firmware that does not use the built-in MAC address, but a randomly chosen, or deliberately spoofed,address. Using this spoofed address, a hacker can attempt to inject network traffic or spoof legitimate users.It is also easy to interfere with wireless communications. A simple jamming transmitter can make communicationsimpossible. For example, consistently hammering an AP with access requests, whether successful or not, will eventuallyexhaust its available radio frequency spectrum and knock it off the network. Other wireless services in the same frequencyrange can reduce the range and usable bandwidth of WLAN technology.


• Access point security recommendations:– Enable user authentication for the management interface.– Choose strong community strings for Simple Network Management Protocol (SNMP) and change them often.– Consider using SNMP Read Only if your management infrastructure allows it.– Disable any insecure and nonessential management protocol provided by the manufacturer.– Limit management traffic to a dedicated wired subnet.– Encrypt all management traffic where possible.– Enable wireless frame encryption where available.• Client security recommendations:– Disable ad hoc mode.– Enable wireless frame encryption where available.


On a busy network, 128-bit static WEP keys can be obtained in as little as 15 minutes.WEP uses the RC4 stream cipher that was invented by Ron Rivest of RSA Data Security, Inc., (RSADSI) for encryption. The RC4 encryption algorithm is a symmetric stream cipher that supports a variable-length key.The IEEE 802.11 standard describes the use of the RC4 algorithm and key in WEP, but does not specify specific methods for key distribution. Without an automated method for key distribution, any encryption protocol will have implementation problems due to the potential for human error in key input, escrow, and management. As discussed later in this document, 802.1X has been ratified in the IEEE and is being embraced by the WLAN vendor community as a potential solution for this key distribution problem.


IP Security• When deploying IPSec in a WLAN environment, an IPSec

client is placed on every PC connected to the wireless network and the user is required to establish an IPSec tunnel to route any traffic to the wired network. Filters are put in place to prevent any wireless traffic from reaching any destination other than the VPN gateway and DHCP/DNS server. IPSec provides for confidentiality of IP traffic, as well as authentication and antireplay capabilities.

• Confidentiality is achieved through encryption using a variant of the Data Encryption Standard (DES), called Triple DES (3DES), which encrypts the data three times with up to three different keys.

• Though IPSec is used primarily for data confidentiality, extensions to the standard allow for user authentication and authorization to occur as part of the IPSec process. This scenario offers a potential solution to the user differentiation problem with WLANs


EAP/802.1X

• An alternative WLAN security approach focuses on developing a framework for providing centralized authentication and dynamic key distribution

• EAP allows wireless client adapters, that may support different authentication types, to communicate with different back-end servers such as Remote Access Dial-In User Service (RADIUS)

• IEEE 802.1X, is a standard for port based network access control


EAP/802.1X

When these features are implemented, a wireless client that associates with an AP cannot gain access to the network until the user performs a network logon. When the user enters a username and password into a network logon dialog box or its equivalent, the client and a RADIUS server perform a mutual authentication, with the client authenticated by the supplied username and password. The RADIUS server and client then derive a client-specific WEP key to be used by the client for the current logon session. User passwords and session keys are never transmitted in the clear, over the wireless link.


SummaryOrganizations should choose to deploy either IPSec or EAP/802.1X, hereafter referred to as LEAP, but generally not both.Organizations should use IPSec when they have the utmost concern for the sensitivity of the transporteddata, but remember that this solution is more complex to deploy and manage than LEAP. LEAP should be used when an organization wants reasonable assurance of confidentiality and a transparent user security experience. The basic WEP enhancements can be used anywhere WEP is implemented.


Wireless Encryption Technology Comparison


Key LEAP Devices

• Wireless client adapter and software—A software solution that provides the hardware and software necessary for wirelesscommunications to the AP; it provides mutual authentication to the AP via LEAP• Wireless access point—Mutually authenticates wireless clients via LEAP• Layer 2/3 switch—Provides Ethernet connectivity and Layer 3/4 filtering between the WLAN AP and the corporatenetwork• RADIUS server—Delivers user-based authentication for wireless clients and access-point authentication to the wirelessclients• DHCP server—Delivers IP configuration information for wireless LEAP clients

Pietrosemoli, ICTP, Feb 03 WLAN SECURITY and other 802 protocols.

Documents

Transcript of Pietrosemoli, ICTP, Feb 03 WLAN SECURITY and other 802 protocols.