Document 7406020
Download
Report
Transcript Document 7406020
Practical Wireless Security
A case study on implementing wireless
security using PEAP
1
Practical Wireless Security
Rezi Andoni,
CCNP
Systems Security Administrator
Chicago-Kent College of Law
Illinois Institute of Technology
[email protected]
312-906-5327
2
Audience
Security engineers/administrators
Network engineers
Network administrators
Technical level: medium - high
I’d like to do frequent polling of
technology/tool use
3
Brief Introduction to Kent
Each student is required to have a laptop
computer
Estimated number of laptop computers is 1200
(more than 95% are XP SP1 or better)
We use Microsoft Active Directory for centrally
authenticating users (upgraded from Windows
2000 to 2003 Domain Controllers)
All computers are/were joined to the domain at
some point
We manage our own infrastructure
4
Requirements for the Implementation
of the Wireless Network
Users have to authenticate
Wireless traffic must be encrypted
Need to use the existing Active Directory
infrastructure for authenticating to the wireless
Seamless integration (we almost do not see at all
the evening students)
Ability to accommodate guests
No or little overhead on our helpdesk
Choice of not adding additional vendors to the
solution (we mostly use Cisco equipment &
technology for network infrastructure and
Microsoft software for authentication, email and
desktop applications)
Ease of implementation
5
Choosing a Security Strategy
(an elimination process)
Do not Deploy a Wireless LAN
Wide Open WLAN (no Security)
Static WEP Security (easy to break and find the key; difficult to maintain)
MAC address authentication (no encryption and easy to sniff and spoof)
Use no security (on the wireless side) and require VPN to get to network
resources
Need for a VPN concentrator – which can constitute a bottleneck
Possible additional client software in each client computer
More complex and costly than a EAP solution
Client computers can be attacked individually
In most cases the user is required to initiate the connection
Use end to end IPSEC (this is possible with Microsoft clients and servers)
Needs a certificate infrastructure to be implemented (or Kerberos based key
distribution)
Can encrypt traffic between clients and servers but not traffic going to the
Internet (routers need to be IPSEC compliant for this)
Might be difficult to maintain
Protection occurs at the network layer – not data-link layer
6
The Elimination Process
(Continued)
Implement 802.1x security
Cisco EAP (LEAP)
Proprietary,
Cisco ACS Access Control Server
needed) – extra cost
EAP-TLS (RFC 2716)
Supported
by Windows XP clients
Needs client certificates in client computers
Needs a public key infrastructure which can
be difficult to maintain
EAP – TTLS (internet draft)
Protected EAP (PEAP) (internet draft)
There are more EAP standards…
7
The Elimination Process
(Continued)
WPA and WPA2 need firmware
support – older WLAN NIC cards may
not have updated firmware
WPA2 would be the preferred choice
WPA2 needs as well firmware that
supports it in the access points (AES
encryption)
The choices left for us were PEAP and
EAP - TTLS
8
Choosing between PEAP and TTLS
PEAP
TTLS
Radius
Server
Microsoft, Cisco (others)
Funk, Meetinghouse
Status
Internet Draft (Microsoft, Cisco,
RSA) (Expired)
Internet Draft (Funk, Meetinghouse)
Client
software
Comes with windows XP
(Microsoft) (Cisco as well)
Needs to be installed separately (Funk,
Meetinghouse)
Protocol
structure
Two phases: (1) Establish TLS
between client and TTLS server
(2) Exchange attribute-value pairs
Two parts: (1) Establish TLS between
client and PEAP server (2) Run EAP
between client and server
exchange over TLS tunnel
Protection of
user identity
Yes – over TLS
MS-CHAPv2 over TLS
Yes – over TLS
Additional
software and
cost
No – Windows 2003 comes
with a radius server that has
PEAP support – XP has the
client
YES
9
PEAP checklist
Required components
Windows 2003 domain controllers (already installed)
Microsoft IAS server (radius server)
Certificate for server use
Access points that allow EAP and PEAP
Clients need to trust the authority that issued that
certificate
Cisco AIR-AP1231AG (does not support AES)
Cisco AIR-AP1232AG (supports AES)
Client computers with windows XP SP1 or better
Group policy to automatically configure the client
computers
Optional components
A management solution for the access points
Wireless LAN solution (WLSE)
Cisco’s WDS (not a necessity in our case but needed for
the WLSE to produce better reports)
10
Overall Picture
re
a
fic
rti
ce
a ou
’s or y
f
Certification
Authority
He
te
tes
ca
tr ifi e
ce i ssu
the ou
t
us t y
I tr tha
Check
credentials
Client computer
Access Point
Radius Server (IAS)
Backup Radius
Server (IAS)
Domain Controller
Alternate
Domain Controller
11
Getting a certificate for the radius
server
From an online certification authority
Cons
Pros
The client computers trust the certificates issued by Verisign and others
Implement Microsoft Certificate Services (our choice)
Pros
Can Be used for other purposes (web servers, EFS etc.)
Propagation of the certification authority can be automated to all client
computers
Cons
Little additional cost (one certificate for each radius server)
one more service to maintain
Needs understanding of the public key infrastructure
Implement a certificate using free software (openssl)
Pros
it is free
can be used for other purposes
Cons
Once you generate the certificate for the root certification authority you need
to manually distribute the certificate to all the clients that will use it and put
it under the Trusted Authorities
12
Our experience with Microsoft
Certificate Services
It comes with windows Server System
The usage is more convenient if the installation is
integrated with Active Directory
The certificate request and installation is almost seamless
The authority is automatically installed on all domain
computers
After you generate the certificates for the radius
server (s) and the all clients install the certificate
in their trusted store, than you can shut down the
certificate server or install a host firewall and block
certificate issuances for other purposes (EFS etc.)
If licenses and systems are an issue, the
Certificate Server can be installed in the same
computer as the Radius server
13
Steps for the configuration of Microsoft
Certificate Server
1.
2.
3.
4.
5.
6.
Install one more domain computer with windows
2003
Install the Certificate services integrated with
Active directory
Request using the wizard a certificate from the
radius server (from the local certificates snap-in)
Approve the certificate from the certification
authority (certification authority console)
Install the certificate in the radius server
Firewall the certificate server, so no more
certificates can be issued (Better security for the
machine itself as well)
14
Installing the IAS server (step 1)
15
IAS server step 1 (continued)
Add each Access Point IP address
under the radius clients
For convenience use the same
password for each Access Point
This is not an issue for us since the LAN
environment is 100% switched and
sniffing on the wired LAN is not possible
Choose the AP vendor from the client
vendor
16
Configure IAS server Logging (step 2)
IAS server can log in 3 places
Flat file
SQL server (to-do list, the best solution if you
do not have a management device)
Windows event viewer (start-up point for
troubleshooting)
17
IAS configuration policies (step 3 continued)
You can have more than one policy in the
RADIUS server
The policies that get used more should be
listed first
18
The wireless policy (step 3 continued)
Generally you need
two conditions for
this policy
Make sure that the
request comes from
an access point
Make sure that not
everyone has
wireless access
Make a group and
put the computers
or users that need
wireless access in
this group
19
The wireless policy (step 3 continued)
The only thing that needs to be changed under the policy
from the defaults is the EAP methods and Client Timeout
20
Client timeout
With dynamic WEP you
need the radius server to
force the clients to reauthenticate so a new WEP
key will be generated for
the session
This puts a heavy load on
the IAS server
For higher security needs
the timeout can be further
reduced to 15 minutes,
even 3 minutes
Use WPA instead which
uses a build in mechanism
to re-key the session
21
PEAP policy (step 3 continued)
Fast Reconnect will
allow a user to roam
and not need to reauthenticate
Choose a certificate
that was issued for the
radius server (usually
one to choose from)
Add EAP type MSCHAP
V2 in order to allow
username/passwords
to be used for
authentication
22
Securing the IAS server
It is quite safe to have a host firewall
installed and enabled on the IAS server
The firewall that comes with windows 2003 is
fine
The only ports that need to be opened are
UDP 1645, 1646 or
UDP 1812, 1813 (depends on what was agreed to be
used between the radius server and the access
points)
Plus any other port that will be needed for
remote administration
For the same reason it can be placed in a
more secured zone with only 2 UDP ports
open
23
Configuring the access points
The access points are generally not aware of the
EAP method the client uses to authenticate to the
server, so generally there is one configuration
done for individual EAP methods (PEAP, LEAP,
TTLS, EAP-TLS)
Before you go to EAP configuration make sure you
change the default password, default SNMP
communities, SNMP location etc.
Configuring EAP
Define the SSID
Require EAP authentication for that SID
Require mandatory WEP encryption
Define the radius server(s) needed for the EAP
authentication (same password used in the radius server)
Or use an wizard that will configure all 4 steps in one 24
Load balancing and redundancy
between the APs and the radius servers
AP1
o
a
nd
ry
Se
c
on
da
ry
c
Se
Radius 2
ry
a
Prim
Primar
y
Radius 1
AP2
25
Load balancing (continued)
Failure of the radius server will bring
the wireless network down (single
point of failure)
Configure half of the Access points for
server1 as primary and server2 as
secondary
Configure the other half for server2
as primary and server1 as secondary
Make sure that all the APs are listed
at each radius server
26
Configuring client computers
You can send an email with instructions
You can create an application that will
modify the registry properly
Not elegant, can be hard to be followed by
certain users
This can be an ActiveX control in a web page
The executable can be distributed in some form
to the users
If you have Windows 2003 domain
controllers (or at least one domain
controller to be 2003 Server) you can use
the new Group Policy extensions to
configure the wireless LAN adapters to the
client computers
27
Configuring client computers
with group policy
28
Configuring client computers
with group policy
29
Group policy (continued)
30
Group policy considerations
It will add a SSID under the preferred
networks of each client computer
It can be applied to the whole organization
(domain) or on specific containers or
organization units
The preferred network can not be removed
by the user on normal circumstances
Other SSIDs (e.g. home networks) can be
added without issues
Changes on GPO will be updated to client
computers
31
Login Script Issues
Windows XP brings up the login dialog very fast
The user might be able to log in with the cached
credentials before the wireless authentication process is
finished – resulting in inability to process any login
scripts.
Solution
Instruct the users to wait 10-15 seconds before they
login
Configure a windows policy to bring up the login script
after the network connections are up and running
This policy poses no issues when the wireless signal
reception is good or when there is no signal at all
It becomes a problem when the signal is very weak; the
user might be stuck in retransmissions trying to
authenticate and never get to the desktop
32
More on PEAP
Wireless AP
Radius
Server
Wireless client
Phase 1, create
TLS channel
Phase 2, perform
MSCHAP version 2
Over the TLS cahnnel
Domain
Controller
Peap Authentication, create TLS channel
User level authentication over the TLS channel
Keying material
WEP traffic
33
EAP Methods
34
More on PEAP (continued)
Part 1
1.
2.
3.
4.
5.
Part 2
1.
2.
3.
4.
5.
6.
7.
AP -> client (EAP-request identity)
Client -> AP (EAP-response identity with username)
AP -> Radius (EAP-response identity with username)
Radius -> Client (EAP-Request/Start PEAP )
Radius <-> Client (A series of messages that create the TLS
channel)
Radius -> client (EAP-Request Identity)
Client -> radius (EAP-Response/Identity with username)
Radius -> Client (EAP-Request/EAP-MS-CHAP-V2 Challenge
with the challenge string)
Client -> Radius (response to the challenge and a challenge
to the server to authenticate itself)
Radius -> client (Success (after checking with the Domain
Controller) and response to your challenge)
Client -> Radius (success)
Radius -> AP (EAP success)
Client <-> AP (WEP encrypted traffic)
35
Managing the WLAN
infrastructure (40+ APs)
Receive faults from the APs
Configure the APs in bulk
Apply standard configuration on newly
added access points
Update firmware
Create reports on clients, devices
Manage inventory of the access
points
Tune the RF parameters (such as
transmit power etc.)
36
Our choice was for WLSE
Wireless LAN Solution Engine
Gives you plenty of configuration options
Needs WDS for better reporting
WDS Wireless Domain Services
Cisco proprietary technology
Requires that you have one WDS server per
LAN segment
An AP can be turned into a WDS server or it
can be a card that goes in a 6500 series switch
WDS simplifies management and makes
roaming almost seamless (needed for 802.11
phones)
37
WDS implementation
tes
ca
tifi e
r
e
u
e c i ss
t th you
s
t
u
I tr tha
Certification
Authority
He
re
’s
a
for cer
yo tific
u
ate
Check
credentials
Client computer
Client computer
Access Point
WDS Server
Radius Server (IAS)
Access Point
Backup Radius
Server (IAS)
Domain Controller
Alternate
Domain Controller
Access Point
Client computer
38
WDS Issues
An access point needs to authenticate itself to the WDS
server
Workaround???
Currently the only method supported is LEAP (Cisco proprietary
and not supported by IAS)
Enable the Radius server that comes with the AP software
Use the internal radius server (LEAP) to authenticate the access
points (infrastructure authentication)
Use IAS (Microsoft Radius Server) for client authentication
I wish that in further updates for the WDS other methods are
supported for infrastructure authentication (AP – WDS)
WDS poses one more point of failure in your infrastructure
Solution: enable more than one WDS server per LAN segment
The priority value of the WDS determines which WDS enabled
Access Point will become the master for the segment
More expensive
39
Guest Access
1.
2.
3.
Create accounts for all people that need guest
access
Create one shared account and give the
password in an instruction sheet
Create another SSID for guest access without
any security enabled in a separate VLAN
1.
2.
3.
4.
Currently available as a feature in Cisco Aironet Access
Points (not sure on others)
Requires the switch ports to be turned into 802.1Q
trunks
Create a VLAN and assign a non-secure SSID to that
VLAN
Bad news – Aironet access points do not support DTP
(Dynamic Trunk Protocol), so manual configuration is
needed to change all the ports where access points are
connected into 802.1Q trunks
40
Guest Access in Separate VLAN
Internet (0)
NAT
Guest WLAN (25)
DMZ (75)
Corporate Firewall
Corporate LAN (100)
`
`
Needs additional firewall configuration to allow
Guest WLAN users have access to corporate
resources in the DMZ or Internal Zone
41
Turning the guest VLAN on and off
Configure jobs in your wireless
management device for adding and
deleting the guest SSID on the Guest
VLAN
Shutdown the firewall port to block
access down and bring it up to
restore access
Change the VLAN state to suspended
in your VTP server switch
42
References
PEAP Internet Draft: http://www.ietf.org/internetdrafts/draft-josefsson-pppext-eap-tls-eap-10.txt
(expired)
Securing Wireless LANs with PEAP and Passwords:
microsoft.com
WLSE, WDS, 1200 Aironet series: cisco.com
Windows 2003 Group Policy:
http://www.microsoft.com/windowsserver2003/tec
hnologies/management/grouppolicy/default.mspx
Internet Authentication Service:
http://www.microsoft.com/windowsserver2003/tec
hnologies/ias/default.mspx
43
Questions …
44