1 copyright © 2005, cisco systems, inc. all rights reserved. applying security principles to...

1Copyright © 2005, Cisco Systems, Inc. All rights reserved.

Applying Security Principles to Networking Applications

Mark Enrightenright@cisco.com

Dec 08, 2005

222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

What is Security in Computer Development Projects

• What are you protecting

• Why are you protecting it

• From whom are you protecting it

• How are you going to protect it

• What is the cost of protecting it

333Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Wired Access Topology

V V

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)

444Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Wireless Access Topology

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)

555Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Wireless Access Topology

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)

666Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Wireless Access Security Complication

• Physical Access to Local Area Network no longer exists

– Anyone can intercept your conversations

– Anyone can utilize your network resources

777Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Security Solution For Wireless Access

• Authentication

• Encryption

888Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Typical Solution for Wireless Access

Internet

1) Where is Access Point

“MyAP”

2) I am here. Prove you know my secret

999Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Typical Solution for Wireless Access

Internet

3) Here is my proof

4) OK. Here are session keys

101010Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

So Whats The Problem?

• Wireless Access is a huge Consumer Market

• People are beoming concerned with Wireless Security

• My GrandMother cant use it

111111Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

What Can We Do To Help

• Make it easy for Grandma to set up Wireless Security

121212Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 1. Configure Security Parameters Automatically

Internet

When Access Point is booted 1st time:Configures Random Secure SSID

Configures Random WPA Shared Secret

Waits for Wireless Association on Secure SSID

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

131313Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2.

• How Can We Transfer Security Parameters Securely?

141414Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One

SSID: Well Known SSID

Open Authentication

1) W

here i

s my A

cces

s

Point “

Well

Known S

SID”

2) H

ere

I am

. Com

e on in

151515Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One

SSID: Well Known SSID

Open Authentication 3)

Give

me S

ecurit

y

Param

eter

s

4) H

ere

They A

re

161616Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One

1) W

here i

s my A

cces

s

Point “

r@ndOm

55ID

”

2) I

am h

ere.

Pro

ve y

ou know m

y se

cret

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

171717Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One

3) H

ere i

s my p

roof

4) O

K. Her

e ar

e se

ssio

n key

s

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

181818Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One Attack

SSID: Well Known SSID

Open Authentication

1) Where is my Access

Point “Well Known SSID”

2) Here I am. Come on in

191919Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial One Attack

SSID: Well Known SSID

Open Authentication

3) Give me Security

Parameters

4) Here they are

202020Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial Two

• What Authentication is possible given constraints

– something we know

– something we have

– something we are

– something we do

• If we can’t be sure, at least be safe

212121Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial Two

SSID: Well Known SSID

Open Authentication

Wher

e is m

y Acc

ess

Point “

Well

Known S

SID”

Here

I am

. Com

e on in

Where is m

y

Access Point “Well

Known SSID”

Here I am. Com

e on in

222222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial Two

SSID: Well Known SSID

Open Authentication

1) G

ive M

e Sec

urity

Param

eter

s

Hang o

n a s

ec

Give Me Security

Parameters

Unable to guarantee unique access

Access to all denied

232323Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Step 2. Trial 2 Attack

• Attacker just Associates and Listens

242424Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Trial 3.

• Use Trial 2 Method for Authentication

• Use SSL for Encryption

252525Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

So Whats The Problem with IPSec?

• Network Protection is a huge Consumer Market

• People are beoming concerned with Security and look to IPSec for help

• My GrandMother cant use it

262626Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

Network Address Translation

Internet

Local Area Network (LAN)

Wide Area Network (WAN)

192.168.1.100

192.168.1.100

192.168.1.101

192.168.1.101

172.204.19.32

62.2.12.17

272727Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

The RoadWarrior IPSec Problem

• With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication

• Mobility and NAT make it hard to predict the IP Address

282828Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

RoadWarrior Solution

2. Client configuredWeb Install client software

Configure address of Home Gateway

3. Client software connectsLogs on to HTTPS

Initiates the IPSec VPN

1. Gateway configuredSSL Username, password

4. Gateway acceptsAuthenticates Client by password

Figures out current Client IP Address

Provisions IPSec for Client IP Address

Joins Client to Protected Network using IPSec VPN

HomeGateway

Internet

Pro

tected

Netw

ork

IPSec VPN Tunnel

HTTPS

Road Warrior Client

292929Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795