Documente Academic
Documente Profesional
Documente Cultură
Abstract
Wireless technology has hit critical mass before the security & controls have matured. Organizations are architecting wireless solutions for current business requirements & homes are integrating wireless environments that are often used as a platform for their business laptops to connect to the workplace. This presentation will exam the architecture, security, & control challenges for SOHO, as well as enterprises. Emerging standards, providers, & best practices for securing & controlling wireless will be discussed. This presentation is for the intermediate to advanced practitioner.
Agenda :
Motivation for Wireless in the Enterprise Wireless Topologies,Characteristics, & Standards Wireless Challenges, Opportunities, & Architecture issues Specific Threats & New Authentication Mechanisms Wireless Management Issues Possible Architectures Trends Summary
% Laptops Deployed With build-in wireless ------------------------------2002 20% 2003 60% 2004 90% Consumer purchases Are 48% of sales & Enterprises are about 43%. Operators/ISPs Make up remainder. In 2003, 11% was 802.11G.
$2000
+50%
$1000
MAN
(Metropolitan Area Network) 802.11, 802.16, MMDS, LMDS
LAN
(Local Area Network) 802.11 & HyperLan2
PAN
(Personal Area Network) Bluetooth
LAN/WLAN
802.11A,B,G HiperLAN2 (Europe)
11 & 54 Mbps (now) 22 & 100Mbps (plans)
MAN
802.11/802.16 MMDS, LMDS
WAN
GSM, GPRS, CDMA2000, 2.53G
Bluetooth
< 1Mbps
10 to 384Kbps
Short
Long
Apps
Peer-to-Peer Device-toDevice
Description
5GHz, 54Mbps Max 2.4GHz, 11Mbps Max Quality of Service (QoS) Inter-Access Point Protocol (IAPP) 2.4GHz, 54Mbps Max Dynamic Frequency Selection (DFS) & Transmit Power Control (TPC) Security
Note: 22Mbps is proprietary
Connections: Difficult to assure C.I.A. of data over multiple 3rd party wireless data networks. Enabling different makes & models of mobile devices (PDAs, Cell Phones, Laptops) work securely with new interfaces to e-business applications, especially when the security capabilities are severely restricted (VPN,PKI,Certs, ECC, CPU). Mgmt & Integration of New Devices, OSs, Protocols & Applications Into Security Architecture: Variety of vendors & AP/Node management options (IBM, CA, CISCO, & Immaturity of wireless devices, operating systems, applications & network technologies (firmware upgrades are frequent, especially for 802.11A & G, LEAP/PEAP) Increased size of the user base increases the threat of hacker & malicious code attacks. New Policies, Procedures, Practices, Personnel, Mechanisms, Services & Objects! The initial psw on wireless devices tend to be deactivated by the manufacturer or user, thus allowing unauthorized access to AP/connected devices.
Password Vulnerability:
Wireless devices may have remote configuration facilities, undocumented APIs or software bugs which could be exploited
Jamming or continuous transmissions of large amts of data to the wireless device will use network bandwidth; thus leading to performance degradation or non-availability.
Denial-of-Service Attacks:
Loss-of-Data:
Storage capabilities of mobile devices are increasing. If a device malfunctions, is lost, or data is accidentally deleted, with no recent data backup of lack of restoration capability, the data will be lost forever.
Security Services
Maintenance of AP & Wireless Card firmware upgrades Authentication, Authorization, & Access Control to Wireless subnets/servers Audits, Reviews, Compliance Checks for wireless components & critical settings Network Architecture of Wireless AP Placement, redundancy, & bandwidth Encryption & Integrity of wireless transmissions
Security Mechanisms
Tools
Wireless Usage Policy (External & Internal) VPN Usage Policy Wireless Placement
Critical Security & Privacy Issues for Wireless LAN According to IDCs Mobile Council Advisory Survey, the most significant wireless security concerns are:
Management of devices security Corruption of data sent to wireless devices Malicious code & Malware (Viruses,Trojans, Worms) Unauthorized users Confidentiality of data sent wirelessly Security of data stored on a handheld device
CIA can be lost for information as it passes over wireless data networks Operators often turn off encryption & anonymous AP resets will set AP back to defaults. Note: Not all vendors provide a physically accessible reset button War driving can collect valuable info that often shared with the Internet Rogue access points can collect valuable info used to later break systems Data Interception on backbone networks can result in information disclosure RF signal jamming can lead to unavailability of mobile devices & network One way authentication: Most wireless clients are authenticated to the network, not vice versa (one sided authentication only). This enables "man-in-themiddle" attacks to eavesdrop on transmissions Paths of communication may pass multiple uncontrolled networks (Execs LAN) Lack of Security Awareness of Users Actually your biggest bang for buck. Weak wireless crypto algorithms allow RF scanning & decryption of WEP keys Physical security issues (Access points and cards are easy to steal!) Lack of Policies, Procedures, Compliance & Audit Understanding Lack of granularity in access Often, an all or nothing approach to access Minimum mainstream network infrastructure support (Probes, Agents, IDS, Radius with LEAP/PEAP/EAP support).
LAN
Unsecured Rogue AP
Hacker
Internal Client
Secure Valid AP
Threats: Man-in-the-Middle Access Point Clone intercepting traffic: An attacker can trick
legitimate wireless clients to connect to the attacker's honey pot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's man in the middle servers. With false login prompts, the user unknowingly can give away sensitive data like passwords. Hacker LAN
Internal Client
Client Dissociations : Forced client re-association / disassociation attacks. This will effectively causes a denial of of service on the client under attacks. A second form of this attack is to take over an established connection
Hacker
Internal Client
LAN
No mutual authentication
802.1X WPA
User authentication via user ID & password Supports Windows, CE, Linux, Mac OS, and DOS Aggressive licensing program by Cisco to other vendors User authentication via client certificates & server certificates Supported in XP, but other Windows versions by 2004 Currently used by Microsoft User authentication via user ID and password or OTP Supported by Cisco Aironet client adapters and by Microsoft in various
Windows versions Uses server-side TLS, which requires only server certificates
EAP-TTLS
User authentication via user ID & password or OTP Uses server-side TLS
RADIUS Server
Derive key
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue APs from stealing data from your clients
RADIUS server
Start Request identity identity
Derive key
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue APs from stealing data from your clients
PEAP Authentication
RADIUS server Use server-side EAP-TLS to authenticate RADIUS server
user database
user-supplied token Use tunnel to authenticate user via token, One Time Password, or other data
PEAP sets up a secure, encrypted tunnel between client and RADIUS server
VPN
Firewall Enterprise
Internet
Wireless
VPN Client
behind APs Performance: Encryption is done in software on client Roaming: Roaming between VPN concentrators forces application restarts QoS: All traffic is IPSec traffic; no QoS, multicast, or multiprotocol support) Clients: Not supported on phones, scanners, or other specialized devices
Future
Stronger encryption schemes such as AES
WPA requires authentication & encryption 802.1X authentication choices include LEAP, PEAP, TLS Adds to 802.1X & TKIP Widespread adoption of WPA will add robust security & remove the security issue from the WLAN industry WPA will become accepted as the standard
WPA compliance is needed for Wi-Fi certification of new products beginning in August 2003
Rogue 802.1x Log errors issues : Clients authenticating with rogue access points & rogue Cisco ACS servers will show up in the rogue ACS server logs, showing user ID Failures. Hence the only unknown is the password, as the userID, SSID & MAC can all be determined. 802.1x session termination: Authenticated clients can be sent a session termination string by a rogue access point / client combination allowing the rogue client to continue an established session.
Rogue AP Rogue DHCP Server Rogue ACS Server Error Log Authentication Log 802.1x Internal wireless Client
Valid AP
Massive user base demanding confidentiality & privacy while roaming Insecure pervasive devices
New & innovative applications & technologies introduce many new vulnerabilities
Wireless Devices
Users Personal application services
Wireless Networks
WPAN WLAN WWAN
Wireless Applications
Internet
Internet services
Intranet
Corporate office services Wireless messaging Wireless lifestyle facilitation
Weak user Insecure RF authentication interfaces controls Data transmitted over the air with weak authentication & encryption controls
Internet weakness still apply but are made worse by the much larger user base
Security Management
Public Access
Enterprise
Traveler
Standards & technology issues Policy Creation Training for Support WEP Key Password Quality Technology (TKIP, AES, WAP) Compliance & Client Detection Tools Technology & Architecture (VPN, RADIUS, FW) Network design & AP Layout Network Review, IDS, & Vulnerability Assessments Education for Policy, Compliance & Access Control Standards, Architecture, Patch Management
Weakness
Weakness
Application Security
Environment Integrity & Robustness Client Security Strength Network Security & Technology Issues
Weakness
Channel: 6 SSID laptop = VLAN 1 SSID pda = VLAN 2 SSID phone = VLAN 3
SSID: laptop Security: PEAP, TKIP SSID: pda Security: LEAP, CKIP
Internet Firewall
VLAN VLAN
RADIUS AP AP
Technology
Session cryptography/VPNs File encryption Content and virus filtering Personal firewalls User and device authentication User authorization Wireless PKI Intrusion detection Security management
Architecture
Structured design method Functional architecture Operational architecture End-to-end security design Managed Intrusion Response Security Services
Processes
Risk management process Incident management process Change management process Audit process Security awareness program
Skills
Risk management expertise IT security expertise Architecture and design expertise Industry knowledge
Wireless Strategy Wireless Readiness Assessment Wireless Value Wireless Requirements Wireless Policy Conceptual Architecture Functional Architecture Wireless Product Selection Site Selection & Facility Design Component Architecture Process Development
Conclusion
Wireless is rapidly growing & has potential to increase productivity, especially in SOHO, Homes, certain industries Wireless is currently unsecure, but solutions are maturing rapidly Wireless technology is becoming enbedded in many form factors (laptops, PDAs, cellphones, etc) 802.11 WEP security is insufficient for the enterprise 802.1x & 802.11i offer great improvements and mitigate several security concerns True mobile 802.11 wireless is difficult, but Mobile IP and other technologies are tackling the problem New technologies create new and old challenges People, Process, Policies, & Architecture are require to deploy wireless securely.