© 2002, cisco systems, inc. wireless lan security
TRANSCRIPT
1© 2002, Cisco Systems, Inc.
Wireless LAN Security
2© 2002, Cisco Systems, Inc.
The #1 Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
3© 2002, Cisco Systems, Inc.
Agenda
• Wireless LAN security issues• Standards-based solutions: 802.1X and TKIP• WiFi Protected Access (WPA)• Other security methods• Rogue APs• Demo• Summary
4© 2002, Cisco Systems, Inc.
Security Requirements for WLANs
“Wireless is like having an RJ45 in my car park”
5© 2002, Cisco Systems, Inc.
Wireless LAN (WLAN)
Wireless LAN Security Issues
Issue• Access control: Anyone in
AP coverage area can get on WLAN
• Privacy: Wireless sniffer can view all WLAN data packets
802.11 Solution• Use WEP to encrypt all data
transmitted between client and AP
• Without WEP key, user cannot transmit or receive data
Wired LAN
client access point (AP)
6© 2002, Cisco Systems, Inc.
Limitations of 802.11 Security
Authentication• Authentication is device-
based, not user-based• Client does not authenticate
network• Existing authentication
databases are not leveraged
Key management• Keys are static• Keys are shared among
devices and APs• If adapter or device is stolen,
all devices and APs must be rekeyed
RC4-based WEP keys• Encryption algorithm is
vulnerable to attack• Message integrity is not
ensured
7© 2002, Cisco Systems, Inc.
Addressing the Limitations: 802.11i
Authentication• Authentication is device-
based, not user-based• Client does not authenticate
network• Existing authentication
databases are not leveraged
Key management• Keys are static• Keys are shared among
devices and APs• If adapter or device is stolen,
all devices and APs must be rekeyed
RC4-based WEP keys• Encryption algorithm is
vulnerable to attack• Message integrity is not
ensured
802.1X
TKIP and AES
8© 2002, Cisco Systems, Inc.
Overview of 802.1X
• Link layer (layer 2) support for Extensible Authentication Protocol (EAP)
• Securely facilitates authentication message exchanges between:
Wireless ClientAccess PointAAA Server
• Allows the use of numerous authentication algorithms• WLAN implementations of 802.1X must support mutual
authentication
9© 2002, Cisco Systems, Inc.
802.1X Authentication Types
• EAP-Cisco Wireless, or LEAPIs supported by Cisco Aironet client adapters on Windows, CE, Linux, Mac OS, and DOSHas been licensed to other vendors
• EAP-TLS (mutual EAP-TLS)Is supported in XP and, soon, other Windows versionsRequires client certificates and server certificates
• PEAPIs supported in XP and, soon, other Windows versionsUses server-side TLS, which requires only server certificates
• EAP-TTLSIs supported by Funk Software’s OdysseyUses server-side TLS
11© 2002, Cisco Systems, Inc.
Overview of the Cisco Temporal Key Integrity Protocol (TKIP)
• WEP is brokenAirSnort attack, among others render WEP ineffective
• TKIP is designed to “patch” WEP – not the long term WLAN encryption solution
• Allows existing devices to be upgraded
12© 2002, Cisco Systems, Inc.
WEP: AirSnort “Weak IV” Attack
• Attack is based on Fluhrer/Mantin/Shamir paper• Initialization vector (IV) is 24-bit field that changes with
each packet• RC4 Key Scheduling Algorithm creates IV from base key • Flaw in WEP implementation of RC4 allows creation of
“weak” IVs that give insight into base key• More packets = more weak IVs = better chance to
determine base key• To break key, hacker needs 5-6 million packets
IV encrypted data WEP framedest addr src addr
13© 2002, Cisco Systems, Inc.
WEP: Bit-Flipping and Replay Attack
• Hacker intercepts WEP-encrypted packet• Hacker flips bits in packet and recalculates ICV CRC32• Hacker transmits to AP bit-flipped frame with known IV• Because CRC32 is correct, AP accepts, forwards frame• Layer 3 device rejects and sends predictable response• AP encrypts response and sends it to hacker• Hacker uses response to derive key (stream cipher)
message XOR
plain text
1234
stream cipher
XXYYZZ
cipher text
XOR 1234
stream cipher
message
predicted plain text
14© 2002, Cisco Systems, Inc.
TKIP: Key Hashing (Per-Packet Keys)
IV base key
RC4
stream cipher
plaintext data
encrypted data
RC4
stream cipher
IV base key
hash
Because packet key is hash of IV and base key, IV no longer
gives insight into base key
XOR
packet keyIV
no key hashing key hashing
15© 2002, Cisco Systems, Inc.
TKIP: Message Integrity Check (MIC)
IV encrypted datadest addrWEP frame
stream cipher XOR
Sender adds MIC to packet
stream cipher XOR
Recipient examines MIC; discards packet
if MIC is not intact
src addr
MICseq #plaintext ICV
MICseq #plaintext ICV
16© 2002, Cisco Systems, Inc.
Broadcast Key Rotation Overview
• Broadcast key is required in 802.1X environments• Re-keying of broadcast key is necessary, just as with
unicast key• Key is delivered to client encrypted with client’s dynamic
key
17© 2002, Cisco Systems, Inc.
Airsnort
- Capture enough packets
- A passive listener can recover the secret WEP key by listening into enough packets.
- Enough = 5-6 millions packets
<while running>
Airsnort capture v0.0.9Copyright 2001, Jeremy Bruestle & Blake Hegerle
Total Packets : 2096201300Encrypted Packets: 1009835030000Interesting Packets: 0Timeouts: 0Last IV = 00:50:DA
“Has anyone had any luck with snorting against a Cisco 340 Access Point with 11.07? I have been running against one all day and according to capture I have 60 billion encrypted packets but 0 interesting packets.”- Toby Bearden, hacker, in posting to Airsnort Forum
18© 2002, Cisco Systems, Inc.
WPA
• What? WPA = 802.1X + TKIPA non-802.1X option exists for home/SOHO products1
• Why?802.1X and TKIP are key elements of 802.11iIndustry is tired of waiting for 802.11i to be ratifiedResponding to push from Microsoft, Wi-Fi Alliance agreed to incorporate WPA into Wi-Fi compliance testing
• When?Optional testing begins in February 2003WPA compliance is needed for new Wi-Fi certification beginning in August 2003
• Result: WPA is new industry baseline for WLAN security
1 http://www.wi-fi.com/OpenSection/pdf/WPA_Home_Overview.pdf
Overview: http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdfQ&A: http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_QA.pdf
19© 2002, Cisco Systems, Inc.
Cisco and WPA
• Current capabilities of Cisco Aironet productsHave supported 802.1X since December 2000Have supported pre-standard TKIP implementation since December 2001
• Cisco plansContinue to support all 802.1X types, including LEAP, as well as pre-standard TKIPEnsure WPA compliance, primarily by adding support for standard TKIPVLANs can be used for mixed client environments
* Not committed
20© 2002, Cisco Systems, Inc.
Firewall Enterprise
High Speed
Hotel/Airport
Wireless
SecureIntranet Using VPN
Security using VPN
Internet
21© 2002, Cisco Systems, Inc.
WLAN Security Hierarchy
VirtualPrivate
Network (VPN)
No Encryption, Basic Authentication
Public “Hotspots”
Open Access 40-bit or 128-bitStatic WEP Encryption
Home Use
Basic Security 802.1x,TKIP/SSN Encryption,Mutual Authentication,
Scalable Key Mgmt., etc.
Business
Enhanced Security
Remote Access
Business Traveler,
Telecommuter
22© 2002, Cisco Systems, Inc.
VLAN concepts – the wireless world
802.1Q Trunk
802.1Q Trunk
SSID=Engineering
RADIUS Server
Management VLAN (VLAN-id 10)
AP_1
AP_2
Native VLAN=10
SSID=Marketing
SSID=HR
SSID=Guest
EnterpriseNetwork
802.1Q Trunk
802.1Q Trunk
SSID=Engineering
RADIUS Server
Management VLAN (VLAN-id 10)
AP_1
AP_2
Native VLAN=10
SSID=Marketing
SSID=HR
SSID=Guest
EnterpriseNetwork
SSID VLAN-id Security Policy Radius VLAN override(optional per user basis)
Engineering 14 802.1x with Dynamic WEP + TKIP yes
Marketing 24 802.1x with Dynamic WEP + TKIP yes
HR 34 802.1x with Dynamic WEP + TKIP no
Guest 44 Open/no WEP no
23© 2002, Cisco Systems, Inc.
The problem with rogue APs…
• Wireless APs can be deployed securely
– 802.1x with TKIP–VPN
• Rogue APs do not conform to corporate security requirements and open the network to trespassers, snoops, and hackers
“Wireless is Rogue APs are like having an RJ45 in my car
park.”
“Wireless is Rogue APs are like having an RJ45 in my car
park.”
24© 2002, Cisco Systems, Inc.
Who installs Rogue APs?-“Focus on the Frustrated Insider”
Frustrated Insider
• User that installs wireless AP in order to benefit from increased efficiency and convenience it offers
• Common because of wide availability of low cost APs
• Usually ignorant of AP security configuration, default configuration most common
Jones from accounting
>99.9% of rogue APs
Malicious hacker • Penetrates physical security specifically to install a rogue
AP• Can customize AP to hide it from detection tools• Hard to detect – more effective to prevent via 802.1x and
physical security• More likely to install LINUX box than an AP
James Bond
<.1% of rogue APs
25© 2002, Cisco Systems, Inc.
Media Attention to Rogue APsWardriving
Pringles can Antenna•12 Dbi Gain•45 minutes to construct•$6.45 total cost
http://www.oreillynet.com/cs/weblog/view/wlg/448
•12,600 hits on google for wardriving•Most wardrivers use NetStumbler to find, map (using GPS), and upload locations of discovered APs to online database•NetStumbler is a free download for Windows and WinCE
War Driving (wôr dri'vin) v.1 Driving around looking for unsecured wireless networks.-term coined by Pete Shipley
http://www.wirelesscentral.net/aprod/STUM-ANTW.html?ns
26© 2002, Cisco Systems, Inc.
NetStumbler in use – 59 APs in 7 miles
• My daily drive to work taken within the car at normal speeds with an IPAQ running NetStumbler with an integrated PCMCIA antenna
• In addition to AP MAC address and SSID, the following information is available with netstumbler
–802.11 channel–Signal to Noise Ration (SNR)–Latitude/longitude (if GPS connected)–More…59 APs found
WEP off
WEP on
SSID of APs found
27© 2002, Cisco Systems, Inc.
Media Attention to Rogue APsWarChalking
What is Warchalking?•Warchalking is the process of looking for wireless computer networks and making chalk marks to indicate their locations so that others can more easily find them.•http://www.warchalking.org/
•Online community containing descriptions and photos of warchalked sites
•12,100 hits on Google for “warchalking”
28© 2002, Cisco Systems, Inc.
Summary…
• You probably already have a WLAN deployment in your corporate network (whether you know it or not)
• An IT deployed and supported WLAN is the best way to prevent insiders from installing their own APs
• 802.1x on switched infrastructure prevents Rogue Devices
–Effective against all classes of unauthorized access (frustrated Insider and “Malicious hacker”–Allows identity based policy on switch port
• Do you own ‘War Walking’
29© 2002, Cisco Systems, Inc.
Questions?
293041055_05F9_c1 © 1999, Cisco Systems, Inc.
303030© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID