Assembling a secure 802.11 wireless network

of 23
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
1. ASSEMBLING A SECURE 802.11 WIRELESS NETWORK Joerg Fritsch, NATO C3 Agency RSA Conference 2005, 18 Oct, 2pm, Austria Center Vienna 2. Session learning objectives ã…
  • 1. ASSEMBLING A SECURE 802.11 WIRELESS NETWORK Joerg Fritsch, NATO C3 Agency RSA Conference 2005, 18 Oct, 2pm, Austria Center Vienna
  • 2. Session learning objectives • Understand the meaning of NIST recommendations and ‘FIPS’ compliance. • Introduce the building blocks of a secure 802.11 wireless network. • Visualize aspects of site survey, planning and roll out of a secure wireless network. • Discriminate between ‘WLAN compatible’ and ‘security compatible’ equipment. • Know why this is important for your future plans
  • 3. What is “NIST compliant” WLAN ? • U.S. NIST = National Institute of Standards and Technology • NIST WLAN = 56 recommendations • last updated in November 2002, but still pretty much up-to-date and relevant to implementers • mainly standards which were (at that time) still in the draft stage • rumor about proposed update since beginning 2005 • NIST makes recommendations, not law, not recipes
  • 4. “NIST compliant” = new standards, (i.e. be brave…) • Network authentication — 802.1x — EAP, EAP-FAST — LEAP etc. • Temporal key management — WPA, WPAv2 • Ciphers — AES — TKIP
  • 5. What are the building blocks? • Users (fixed, or mobile) • Access points • Authentication (this is new, compared to traditional WLAN) • Confidentiality — Link encryption by APs — IPSec overlay (fully FIPS compliant WLANs, - this is also a new idea) • Monitoring and logging • Physical Security of the APs
  • 6. What about FIPS compliance ? • (U.S) Federal Information Processing Standard • “Mandatory” feature that equipment bought by the government must support • Currently there are no FIPS compliant wireless access points • Be careful! Some vendors advertise this, but they really mean a combination of AP and VPN • FIPS 140-2 compliance always generated by some sort of VPN concentrator (at our site Cisco VPN 3K)
  • 7. IPSEC overlay: Fully NIST and FIPS compliant WLANs Disadvantages Advantages • • Industry's efforts are aiming for Fully “NIST compliant” integrated wireless networks • Common vulnerabilities (i.e. ! you cut the link between you during association of the WLAN and the rest of the world client) do not fire. • VPN Client required (compatibility, • Increases security and interoperability!) interoperability • Single Sign On is hard to achieve • Integrates well with strong authentication
  • 8. There are 2 ways to assemble the building blocks: WLAN collocated with LAN • We prefer this implementation framework because • SSO for all WLAN Clients • Additional Software (VPN Client) optional • All private network services available for WLAN Clients — File and Print services — VLAN segmentation — VoIP
  • 9. There are two ways to assemble the building blocks: WLAN segregated from LAN • Additional security • Integrates best with — IPSEC overlay — Server based computing • WLAN itself still needs to be secured • Firewall policy easily will become permissive if not implemented in conjunction with IPSEC overlay or server based computing
  • 10. Planning of a NIST compliant WLAN net • All the stuff for a regular installation — Site Survey Tools • RF propagation Software • Antennas, Cards & GPS • Floor Plans — Site Survey • Selection of cell size and antennas • General positioning indoor/outdoor — Recommendations on physical security vs shielding & interference • … plus physical security of the APs (manipulation, theft) • … this can make your life much, much harder
  • 11. Rolling out a NIST-compliant WLAN net (Here’s what we did at NC3A) • Our design goals • Our security goals • Our implementation plan • What we bought and our experience of implementing it • What we have learned (so far…) — How it fits with our existing hard- and software (If it’s only 6 months old, can you call it “legacy” ???) — Risk evaluation !!!!!!!
  • 12. Primary Design Goals • Following the U.S. NIST security guidelines for governmental use — Not required in NATO as yet, but probably a “best practice” • Building a network that — provides an acceptable privacy for a NATO UNCLASSIFIED network — is not too difficult to implement — Can teach us about future, higher security WLAN nets • New features supportable on our existing hardware • Preserving the advantages of a traditional WLAN — Mobility — user friendly — low administrative overhead
  • 13. Security Goals • Do the best we can do (remember, it’s NATO UNCLASSIFIED) • Do not cut the link between us and the rest of the world • Mitigate known risks • Imagine the unknown risks • Know who is on our network (and who might try to sneak in) • Understand what we are doing, and why • Visualize the new network perimeter
  • 14. We live in a simple security environment (not everyone is so lucky) We can place APs in corridors where they are visible and accessible
  • 15. Fitting the APs to the Physical Building We find that even simple RF propagation models are quite effective and realistic … But you need to have good physical building plans
  • 16. What we bought • Authentication: — Funk “Steel Belted Radius” Server — Microsoft Windows Domain Controller • Access points: Cisco 1200 Access Points • Antennas: 2dBi omni directional, ceiling mountable • Confidentiality: — WPA/TKIP or WPAv2/AES through Cisco IOS on APs — FIPS-compliant Cisco VPN 3000 is used alternatively • Monitoring and Logging: OpenSystems Envision HA
  • 17. What we bought (continued) • Cisco 6509 Wireless Service Module — Centralized management of APs — Achieve roaming qualities good enough for 802.11g telephones • Clients: Disable Windows Zero Configuration Utility — Several Vendor (Laptop) Client Utilities in use • Atheros, IBM, Dell TrueMobile, Cisco all work for us • Meanwhile long list of “Cisco Compatible Client Devices” published (this was not there when we started …) • No security compatible wireless Print Servers available — Lowest common denominator: WPA-PSK — Print Servers segregated from LAN
  • 18. Problems we had during installation (and how we solved them) • New wireless networks require a lot of new wires to be pulled throughout the building — We rejected “wireless, wireless” approach to get more useable bandwidth throughout the building • Changed our minds several times on authentication — Cisco LEAP, PEAP/Microsoft CHAPv2, EAP-TLS — Settled on LEAP (straight forward implementation, easy reauthentication through cached credentials) • New equipment first available with FCC certification, then re- configured for non-US channel schemes — We started with US-legal equipment for testing, prototyping, then waited for “street-legal” European models
  • 19. Lessons Learned • Do not compare a corporate WLAN to your living room WLAN — corporate WLANs can use: authentication, VLAN Tagging, multiple SSIDs, fast roaming, positioning engines • WiFi compatible is not security compatible — “WiFi certified” = interoperability of equipment on an unprotected HotSpot • Secure WLANs needs excellent signal stability; - i.e. FCC-approved equipment not good enough for a secure ETSI WLAN — FCC client adapters get de-authenticated frequently w/o any obvious reason • Expect incompatibilities even within the product lines of a single vendor — problems and fixed bugs sometimes reappear after a firmware upgrade (i.e. de-authentication at high network load or when USB devices are (dis)connected) • Even reasonably-priced RF propagation models turned out to be very accurate — EKAHAU Site Survey, ESS
  • 20. So what? Why is this useful to you? • NIST-compliant WLAN an “interesting” technology • It’s not super-secure but it attempts to go a significant step beyond commercial “best practice” • It is not influenced by any vendor, or any network philosophy • Since we must live with WLAN, this is a way to sleep easily at night • By forcing considering of AP physical security, it may also force an evaluation of other physical security issues. This is good. • (left as an exercise for the student)
  • 21. Questions & Answers Thank you for your attention
  • 22. If you were in “their” shoes: What you need to attack WLANs • NO Pringles Antenna! • Educated guesses • Time !!! – If they are not carried out in a staged or protected lab environment most attacks need time • Wireless network sniffers and analyzers — Kismet, http://www/ — Netstumbler, — Airopeek, • Tools to decrypt WEP Keys — Airsnort, — Weplab, — Chochop
  • 23. If you were in “their” shoes: What you need to attack WLANs (continued) • WPA disassociation/de-authentication Attacks — Airforge (re-inject packets – such as de-authentication packets), • Attacks on the LEAP authentication — Asleap, • WPA PSK brut force attacks — Cowpatty, • Attacks on the Wireless Client — Airpwn, — Hotspotter,
  • asko 35

    Jul 23, 2017


    Jul 23, 2017
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks