Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division [email protected] AIM-Y!-MSN: WLANstan Copyright Stan Brooks 2007.
Download ReportTranscript Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division [email protected] AIM-Y!-MSN: WLANstan Copyright Stan Brooks 2007.
Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP Emory University Network Communications Division [email protected] AIM-Y!-MSN: WLANstan Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Emory Network Communications Outline What this presentation will not cover Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing At Wi-Fi Hotspots and at Home Emory Network Communications Why Do We Need Security on WLANs? Internet Internal Network “Real” Access Point Rogue Access Point X “Real” Wireless User Evil Twin/MitM Access Point Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle (MitM) Attacks Last 100 feet is the worst of all Much less secure than even wired Internet access There is good news – Wireless CAN be more secure than the wired network (if implemented properly) Emory Network Communications Wireless Security – What do we Protect? There 3 areas that need protection: 1) Protect data as it travels from source to destination Network Eavesdropping Integrity (tampering) Denial of Service (DoS) 2) Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.) Access Point 3) Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares Wireless User Emory Network Communications Security Security is a PROCESS Apply Security in Layers There is NO single security silver bullet Different data require different levels of security A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records Different users need different levels of access Student vs. Faculty vs. Guest Users A Business Risk Assessment helps to define requirements Emory Network Communications Security Policy Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a previous slide Role-based Access Control All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest All data are NOT created equal Term papers vs. grade reports vs. medical records Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OS’s Access methods Emory Network Communications AAA (or AAAA) Originated with dial-up Internet and VPN access RADIUS = Remote Dial-In User Service Authentication (Username/Password) Who are you? Authorization (Are you a valid user/subscriber) Are you allowed to log on the network? Access Control (Added for RBAC & Wireless) Where can you go once you are on the network? (Accounting) – Originally the 3rd “A” Logs Billing Tracking usage For when the RIAA or MPAA comes around Emory Network Communications Authentication in a Wireless Environment Types of Wireless Security Models Open System Shared Key for Encryption & Authentication Static Key (WEP, WPA / WPA2-PSK) Dynamic Key (Dynamic WEP, WPA / WPA2-Enterprise) Authentication Models Open System VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access Captive Portal, Walled Garden, Other Emory Network Communications Wi-Fi Security Evolution Authentication SSID Captive Portal Requires a Webserver and Easily hacked by may compromise children, no real security, username/pw. just a no-trespassing Data encryption at the sign expense of authentication and may requires client software Encryption WEP VPN 802.1x Uses EAP (EAP-TLS, EAPTTLS, PEAP, LEAP, etc.). Requires a RADIUS Server. Dynamic WEP is fairly secure, TKIP is much better, addressing all known issues w/WEP Dynamic WEP TKIP 802.11i (also called WPA2) Combines 802.1x Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption AES Emory Network Communications WEP / WPA / WPA2 Basics WEP WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise Encryption RC4 w/WEP 24-bit IV 40/104-bit Key RC4 w/TKIP 48-bit IV 128-bit Key RC4 w/TKIP 48-bit IV 128-bit Key AES-CCMP 48bit-IV 128bit Key AES-CCMP 48bit-IV 128bit Key Integrity CRC Michael 64-bit Key Michael 64-bit Key CBC-MAC 128-bit Key CBC-MAC 128-bit Key Authentication Optional Shared Key PSK – Pre-Shared Key 802.1x Various EAP-Types PSK – Pre-Shared Key 802.1x Various EAP-Types Ad-Hoc Support Yes No No Yes No Standard Part of 802.11b 1999 Snapshot of 802.11i As of 10/2002 Snapshot of 802.11i As of 10/2002 Specified in 802.11i Ratified 06/2004 Specified in 802.11i Ratified 06/2004 Emory Network Communications WPA / WPA2 Enterprise (8021.x) Elements Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller) Passes authentication transaction between the Supplicant and the Authentication Server Network Authenticator (Access Point) Supplicant (Client) Authentication Server (RADIUS) Emory Network Communications WPA / WPA2-Enterprise EAP-Types Source Client Server Auth Client Auth Vulnerability Level Vulnerability Examples EAP-MD5 Open – NOT Wi-Fi Certified Aegis, Odyssey Shared Key Challenge NO KEY DERIVATION None Extremely High Offline Dictionary Attacks LEAP Cisco Proprietary, NOT Wi-Fi Certified Cisco (CCX), Aegis, Odyssey Password Hash Password Hash High ASLEAP – Identity Exposure & Offline Dictionary PW Attacks EAP-FAST Cisco Proprietary, NOT Wi-Fi Certified Odyssey PAC (Shared Key) MSCHAPv2 Medium PAC Exposure TLS Open, Wi-Fi Certified Aegis, Odyssey Certificate (PKI) Certificate (PKI) Low Lost or Stolen Devices TTLS (PAP, CHAP, MSCHAPv2, or GTC) Open, Wi-Fi Certified Aegis, Odyssey, TMobile Conn Mgr (PCTEL) Certificate PAP, CHAP, MSCHAPv2, GTC Medium Possible Identity Exposure, MitM Risks PEAPv0 (TLS or MSCHAPv2) Microsoft – Wi-Fi Certified Microsoft WZC, Apple, Aegis, Odyssey Certificate EAP-TLS (SmartCard), MSCHAPv2 Medium Possible Identity Exposure, MitM Risks Cisco, Aegis, Odyssey Certificate EAP-GTC (Generic Token Card) Medium Possible Identity Exposure, MitM Risks SmartCard SmartCard Medium GSM/GPRS Attacks PEAPv1 (EAP- Cisco – Wi-Fi Certified GTC) EAP-SIM GSM Wireless Carriers Odyssey – Wi-Fi Certified Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks Emory Network Communications Choosing the Right EAP-type What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level? What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights Emory Network Communications Wireless Clients PCs Microsoft Windows XP WZC Wireless chip manufacturers’ clients Atheros Intel Broadcom Prism Open Source SecureW2 wEAP Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients Microsoft PPTP, IPSec Checkpoint Others MACs Linux PDAs wpa_supplicant Xsupplicant Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis Wi-Fi & Dual Mode Phones Other Devices Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit Emory Network Communications Implementing a Secure Wireless Infrastructure Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers I’m an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot Emory Network Communications Aruba WLAN Switch/Controller-based Implementation The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the wired network Emory’s Internal Network Authenticated User SSID: EmoryUnplugged “Thin” Access Point Guest User SSID: EmoryGuest Aruba WLAN Switch/Controller w/ Built in Firewall and Per User Access Control Internet Emory Network Communications Migrating to “New” Security Models Some History Emory originally settled on an Open System/VPN authentication/access Model in 2004 As we grew, VPN was OK, but not great The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring 2006 Directive for completion by January 1, 2007 Emory Network Communications Changing Security Models Least impact on clients Clients DO have to change Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over Emory used Winter Break ‘06 as the cut-over Run both models for the transition period Market, market, market the change and why it’s better Emory Network Communications Poster Example Emory Network Communications Poster/Ad Example Emory Network Communications Emory’s Transition Timeline Fall 2005 – Started piloting new model Developed configuration handouts and tools January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May) Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – Email blast informing students of impending change in Fall 2006 Fall Semester 2006 (Sept-Dec) Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students Held additional configuration clinics in high use areas Mid & Late Semester – Email blasts to know users of old security model informing them of model “sunset” Winter Break 2006 – Removed old security model access globally Result: No logged complaints Emory Network Communications VPN Usage Graph Oct 2005 to Feb 2007 Thanksgiving 2005 Winter Break 2005 Spring Break 2006 Summer Break 2006 Move-in Weekend 2006 Thanksgiving 2006 Winter Break 2006 Emory Network Communications Wireless Security – Protecting Yourself Internet “Real” Access Point “Real” Wireless User There 3 main areas to address: 1) Protect data as it travels from source to destination 2) Protect the client from unauthorized access 3) Protect the network from unauthorized/compromised users Emory Network Communications Safe HotSpot Wireless Computing Assume the network connection is HOSTILE - practice safe computing! Enable/use Personal Firewalls Configure your Wireless Client Properly configured for “Internet” or untrusted connection Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs Your organization’s VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as Hotspotvpn.com Publicvpn.com JiWire.com SpotLock Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe! Emory Network Communications Safe SOHO Wireless Computing On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD) On your router: Please. Please, Please - Change your router’s default configuration CHANGE THE PASSWORD FROM THE DEFAULT Change the SSID from the default Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has upper/lower case, numbers, and punctuation. Example: “Emory\University/Rox*My<2>smallW0RLD!!!Yeah!” WPA-PSK can be subject to dictionary attacks, so misspelled words, added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember Emory Network Communications Recap Why we need security for wireless networks Different security models Strengths & weaknesses Implementation Migrating to a New Security Model Basic wireless security methods for home and hotspots Emory Network Communications Wireless Security In an Education Environment Presentation Evaluation URL: http://resnetsymposium.org/resnet2007/ Questions & Discussion Emory Network Communications Bibliography & Resources CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs Books Real 802.11 Security, Wi-Foo, CWNA/CWSP/CWAP Study Guides, Hacking Wireless Networks for Dummies Websites cwnp.com, wi-fiplanet.com and others (hit the forums for good information) Manufacturers Cisco, Aruba, Meru, Trapeze