CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge

CSG357 Dan Ziminski & Bill Davidge 1

Effective Wireless Security – Technology and Policy

CSG 256 Final Project Presentationby

Dan Ziminski&

Bill Davidge


AGENDA

Some attacks to WLANs

Authentication Protocols

Encryption Protocols

Rogue AP problem

Case Studies


802.11 Passive Monitoring802.11 Passive Monitoring

Attacker Passive MonitoringCaptures data

Station

Access Point

Username: dziminski

Password:cleartext


802.11 DOS Attack802.11 DOS Attack

Attacker spoofs 802.11Disassociate frame

Station

Access Point

X Connection is broken


802.11 Man in the Middle Attack802.11 Man in the Middle Attack

Access Point

•Attacker broadcasts spoofed AP SSID and MAC Address •Station unknowingly connects to attacker•MIM attacks can always be established•But if strong authentication and encryption are used, attacker will be nothing more than a bridge.

AP MAC Address

Station MAC Address

AP MAC Address

Station MAC Address

Attacker

Station


Authentication and Encryption Authentication and Encryption StandardsStandards

EAP

802.1x

WPA-TKIP 802.11i

RC4

TLS

MSFTIETF

Encryption Algorithms

Authentication Protocols

PEAP

CSCO/MSFTIETF

CertificateCredentials Username/Password

Encryption Standards WEP

RC4 AES


802.1x Authentication802.1x Authentication

StationSupplicant

Access PointAuthenticator RADIUS Server

Authorizer


802.1x EAP-TLS Authentication802.1x EAP-TLS Authentication

StationSupplicant


Authorizer

Client digital certFrom XYZ CA

Server Digital certFrom XYZ CA


802.1x PEAP authentication802.1x PEAP authentication

StationSupplicant


Authorizer

Digital certFrom XYZ CA

Directory Server

Phase 1:Authenticate AP. Secure tunnelto AP using TLS

Phase 2:Password authenticationwith directory server

Username DanPassword: encrypted

Success/Fail


VPN Authentication and EncryptionVPN Authentication and Encryption

StationAccess Point VPN Gateway

LAN

IPSEC VPN Tunnel


Web AuthenticationWeb Authentication

StationAccess Point

Web auth security device

LAN

HTTPSLogin page

BackendRADIUSServer


Which Authentication to Choose?Which Authentication to Choose?

Wireless Auth Type

Desktop Control Needed

Cost to Implement

Difficult to Manage

Vendor Support

Problems

Vulnerable to Attack

VPN high high medium low low

WEP medium low high low high

802.1x EAP TLS

ceritficates

high high high medium low

802.1x PEAP

medium medium medium medium low

Web Auth low low medium low medium


WEP EncryptionWEP Encryption

IV Payload CRC-32

Encrypted with 40 or 104 bit key. RC4 Algorithm.

integrity check24 bit IV clear text

WEP has several problems1. IV is too small. At 10,000 packets per second IV repeats in 5

hours.2. There are several “weak keys”. Those are especially vulnerable.3. No key update mechanism built in.4. Message replay attacks. DOS.


Wi-Fi Protected Access (WPA) TKIP-Wi-Fi Protected Access (WPA) TKIP-encryptionencryption

•Wi-Fi Protected Access is an interim standard created by the Wi-Fi alliance (group of manufacturers).

•WPA-TKIP fixes problems with WEP.•IV changes to 48 bits with no weak keys. 900 years to repeat an IV at 10k packets/sec.•Use IV as a replay counter.•Message integrity.•Per-packet keying.

•Supported on many wireless card and on Windows XP (after applying 2 hot fixes).

•Uses 802.1x for key distribution.

•Can also use static keys.


TKIP – Per Packet KeyingTKIP – Per Packet Keying

48 bit IV

16 bit lower IV32 bit upper IV

Key mixing Key mixing

Per-Packet-KeyIVIV d

Session Key

MAC Address

104 bits24 bits

128 bits

•Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm.


802.11i AES-encryption802.11i AES-encryption

•Ratified by the IETF in June of 04.

•Uses the AES algorithm for encryption and 802.1x for key distribution.

•Backwards compatible with TKIP to support WPA clients.

•802.11i not in many products yet.


Which Encryption to Choose?Which Encryption to Choose?

Wireless Encryption

Type

Desktop Control Needed

Cost to Implement

Difficult to Manage

Vendor Support

Problems

Vulnerable to Attack

none low low low low high

WEP medium low high low medium

WPA TKIP high high high medium low

802.11i AES high high high high none

VPN high high medium low none


Newbury NetworksNewbury Networks

• 3-hour “war driving” DNC in Boston

– A total of 3,683 unique Wi-Fi devices– An average of 1 wireless network card

every 2 minutes– Nearly 3,000 of the total Wi-Fi devices

were discovered in Boston's Back Bay


3-hour “war driving” DNC in Boston3-hour “war driving” DNC in Boston

– 65% of the wireless networks detected had no encryption

– 457 unique wireless access points-the majority of which were unsecured


DefCon X Hacker Convention-2002DefCon X Hacker Convention-2002

• 2-hour monitoring Wireless LAN

– Identified 8 sanctioned access points

– 35 rogue access points, and more than– – 800 different station addresses



– 200 to300 of the station addresses were fakes

– 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours

– 490 were wireless probes from tools such as Netstumbler and Kismet



• 100 were varying forms Denial-of-Service attacks that either– jammed the airwaves with noise to shut

down an access point– targeted specific stations by continually

disconnecting them from an access point or

– forced stations to route their traffic through other stations



– 27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network

• 190 were identity thefts, such as when MAC addresses and SSIDs



Case Studies-UniversityCase Studies-University

• University– fosters an open, sharing environment – “…allow all, deny some…” as far as

access goes. – large area– large user population– knowledgeable support group and a wide

spectrum of knowledge in the user base


Case Studies-Financial InstitutionCase Studies-Financial Institution

– restricted access

– limited number of authorized users

– Technical staff with control of user hardware

– geographically dispersed locations


Case Study: Global Bank (alias)Case Study: Global Bank (alias)

•In process of deploying enterprise WLAN.

•Using 802.1x EAP-TLS with client web certificate for authentication.

•Tested PEAP, but failed auth attempts would lock out users Active Directory account.

•Had a small VPN pilot but found it didn’t scale.

•Originally started testing WPA-TKIP but too many interoperability problems with card and APs.

•Switched to WEP with keys rotating every 30 minutes using 802.1x. They feel that this is secure enough.

•Monitor for rogue APs. Any rogue that is detected by 3+ APs is investigated and removed if on LAN.


Case Studies: home networksCase Studies: home networks

– small number of users

– with no expectation of heavy volume

– Limited technological expertise


Q and AQ and A

• You Ask

• We Answer

Documents

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge