Upload
dulcie-lloyd
View
214
Download
0
Embed Size (px)
Citation preview
Effective Practices in Wireless Security for
Higher Ed H. Morrow Long, CISSP, CISM
Director - Information Security
Yale University
EDUCAUSE 2004 Annual ConferenceWednesday Oct 20, 2004, 2:15p-3:05p - Track 3 SessionMeeting Room 605 - Denver Colorado Convention Center Effective Practices
Working Group
Effective PracticesWorking Group
Copyright Notice
Copyright H. Morrow Long 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Effective PracticesWorking Group
The Problem?
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Effective PracticesWorking Group
Yahoo Map! Of Yale
QuickTime™ and aNone decompressor
are needed to see this picture.
Effective PracticesWorking Group
http://www.wifimaps.com/
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Effective PracticesWorking Group
http://www.intel.com/ca/personal/do_more/wireless/stories/bondar.htm
With more than 50 speaking engagements a year throughout North America and a career as a photographer that takes her around the world, Bondar, who was chosen to participate in the prestigious Women of Influence speakers series, carries her notebook PC, equipped with Intel® Centrino™ mobile technology+, everywhere she goes. On a recent visit to Yale University in Connecticut, Bondar says, "I used it on hospital rounds with neurosurgery residents." This is not your father's notebook, distinguished solely by portability. The built-in wireless technology allows unprecedented freedom.+ Among its attributes are mobility, of course, enhanced by a thin profile and lightweight components, longer battery life and uncompromised performance. A user within range of a wireless local area network (WLAN), or hotspot, has immediate high-speed access to the Internet and e-mail and can download or send text, data and graphics with ease. "Even five years ago," says Bondar, "wireless technology would have made a huge difference to my life."
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Effective PracticesWorking Group
WLAN Network Security Terminology Definitions
• VPN• Supranet• Internet• internet• intranet• extranet• ISP
• Firewall• WEP• SSL / TLS• Access Point• NAT Router• Bridge
• Encryption• Authenticati
on• PKI• LDAP• “Certificate”
Effective PracticesWorking Group
Wireless Data – Terminology Definition
• IEEE 802.11a
• IEEE 802.11b
• IEEE 802.1x• IEEE
802.11e• IEEE
802.11g• IEEE 802.11i• Bluetooth• HomeRF• Jini
• EAP• LEAP• PEAP• EAP over
TLS• TTLS• WiFi• WPA
Effective PracticesWorking Group
802.11 Wireless Standards
802.11 – 1 to 2 megabits/second.
802.11b – From 1 up to 11 megabits/second.
• Conflicts with frequency band used by Bluetooth.
802.11a supports data rates of 6 Mbps, 12 Mbps and 24 Mbps, 36 Mbps, 48 Mbps and 54 Mbps.
802.11e – multimedia & QoS improvements, security?
802.11g – 22Mbps and up to 54Mbps
802.1x - Auth. & port access ctl for all 802 LANs
WPA – 802.1X + EAP + TKIP + MIC
802.11i – WPA plus AES (Advanced Enc. Std)
Effective PracticesWorking Group
802.11 Generic MAC layer - IBSS
IBSS (Independent Basic Service Set) - AKA “Ad-hoc” network. Stations associate directly with each other without an AP.No relaying, only direct (peer to peer).
Effective PracticesWorking Group
802.11 Generic MAC layer - BSS
BSS (Basic Service Set) - AP plus stationsAKA “Infrastructure” network. Stations need AP to communicate w/each other and/or to relay packets out to internet. SSID may be broadcast via beacon frames.“Association” Request sent by client station to AP. Handshake to set up association may involve authentication.“Disassociate” Request may be sent at end of session (or may not be sent at all if station shuts down or moves out of range).
Effective PracticesWorking Group
802.11 Generic MAC layer - ESS
ESS (Extended Service Set) - Multiple APs (each with multiple stations) connected (via wireless or wired LAN).AKA Extended “Infrastructure” network.ESS == Set of BSSs connected via a distribution system (DS). Shared SSID.Aps communicate among themselves.Entire WLAN is a single MAC layer 2 net.Station mobility within ESS. AP handoff.
Effective PracticesWorking Group
802.11 PHY Specs
802.11 PHY Max Data Rate Frequency Modulation
802.11 2Mb/s 2.4Ghz &IR FHSS/DSSS
802.11b 11Mb/s 2.4Ghz DSSS
802.11g 22-54Mb/s 2.4Ghz OFDM
Super-G 108Mb/s 2.4Ghz OFDM
802.11a 54Mb/s 5Ghz OFDM
Effective PracticesWorking Group
802.11b (WECA -> WiFi)
Most popular wireless LAN (WLAN).
11 Separate Channels in 2.4Ghz -- overlapping bands of frequencies.
Channels 1, 6 and 11 are commonly used as this allows three non-overlapping channels.
Effective PracticesWorking Group
802.11b (WECA -> WiFi) & g
Most popular wireless LAN (WLAN).
11 Separate Channels in 2.4Ghz -- overlapping bands of frequencies.
Channels 1, 6 and 11 are commonly used as this allows three non-overlapping channels.
Effective PracticesWorking Group
802.11a
Less popular wireless LAN (WLAN).
8 Non-overlapping Channels in the 5Ghz frequency range.
Was the only 54Mb/s WLAN until 802.11g -- which using compatible h/w, APs and frequency range.
Effective PracticesWorking Group
Wireless Data Risks and Threats – What are we worried about?
Controlling Access to our Network Preventing intruders and disallowing anonymous access. Identifying and authenticating “trusted” users and devices. Authorization and network access control
Confidentiality Preventing eavesdropping and decryption to ensure privacy.
Integrity Preventing tampering and session hijacking.
Availability Ensuring quality of service, preventing denial of service.
Effective PracticesWorking Group
Wireless Security Problems
Default Passwords
Open Broadcast of SSIDs
No or weak encryption.
Lack of authentication.
Accidental & Malicious association w/rogue APs (M-I-T-M tampering possible).
Sniffing
Spoofing
Denial of Service (DoS) Attacks
Attacks from outside: Spammers & Worms
Effective PracticesWorking Group
Default SSID (Service Set Identifier)
Cisco ‘tsunami’
Linksys Aps ‘linksys’
Sent in beacon frames
Effective PracticesWorking Group
Wireless Security Problems
Network Attacks (Spoofing and Denial of Service (DoS) Attacks) -- Layers 1 thru 3.Layer 1: Malicious AP overpowering a valid APLayer 2: Spanning Tree packet (802.1D) attacks. Broadcasts causing loops in redundant LANs.Layer 2: Attacks on EAP endpoints (spoofed start/logoff commands, bogus connect/failure msgs)Layer 3: ARP Cache Poisoning.Sending spoofed unsolicited ARP replies to computers to have them divert packets.
Effective PracticesWorking Group
SSID Security Guidelines
Change the SSID from the vendor default.
Do not set the SSID to a secret (e.g. a password in use elsewhere) nor to anything which provides information to outsiders (e.g. company name).
Configure AP settings to not broadcast the SSID in beacon frames.
Effective PracticesWorking Group
WLAN Security Guidelines
Use WEP to deter casual eavesdropping & trespassing.Use a VLAN & private IP subnet range outside of the corporate intranet.Firewall the WLAN from the corporate intranet.Require and use VPNs from stations to enter the corporate intranet.
Effective PracticesWorking Group
802.11b Wireless Security Flaws
• Confidentiality - Interception / drive-by snooping
• WEP – Wired Equiv Privacy
• VPNs and App Level Crypto (SSL/TLS, SSH)
• Integrity - Impersonation
• ARP cache poisoning (spoofing wired/wireless)
• Session Hijacking
• Availability - Denial of service (DoS)
• Easy to jam with broad spectrum interference
• Some protection against electric appliances
Effective PracticesWorking Group
802.11b Wireless Security Flaws
• Authentication• MAC/Hardware Address Control• DHCP using registered MAC/HW addresses• Firewall plus VPN approach• Proprietary
• Cisco Aironet 350, Cisco driver and RADIUS• Web-based authentication
• Authorization - Appropriate Access Control• Access Point filters, NAT routers and Firewalls
• Accounting - Public 802.11b ISPs! Credit Cards.
Effective PracticesWorking Group
802.11b Wireless Security Flaws
802.11b has been criticized by UC Berkeley ISAAC group researchers as flawed:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
At least one public domain program now is available on the Internet which will sniff WEP traffic and brute force reverse engineer the static key which is being used for encryption. Therefore WEP by itself is no longer considered secure to protect 802.11b traffic.
Effective PracticesWorking Group
802.11b Wireless Security Flaws
802.11b Access Points and networks were demonstrated as vulnerable to ARP cache poisoning by Cigital, Inc. in September 2001.
• Wireless PCs can be impersonated/traffic redirected.
• SSH and SSL sessions can be hijacked.
• Wired hosts can be impersonated and have their traffic redirected if the access point is attached to a wired LAN.
• Other wireless LANs attached to the same wired LAN are also susceptible to ARP cache poisoning.
Effective PracticesWorking Group
802.11b Wireless Security Flaws
Denial of Service
802.11b bandwidth degrades as single strength decreases (from 11mb to 1mb in increments).
802.11b frequency band conflicts with Bluetooth, wireless microphones, microwave ovens, etc.
802.11b supports multiple channels – can be used for noise/conflict avoidance, but not really useful for security (by obscurity).
Signal can be boosted at PC end by adding an antenna.
Amplifying signal reception at the AP increases noise.
Effective PracticesWorking Group
802.11b Wireless Security Flaws
Denial of Service
Yesterday’s CCA flaw/vulnerability in 802.11b.See the CERT announcement and
http://www.computerworld.com/securitytopics/security/story/0,10801,93221p4,00.htm
Effective PracticesWorking Group
802.11b + 801.XWireless Security Flaws
University of Maryland researchers:
Arbaugh and Misra
Possible weaknesses:
• Session hijacking
• Man in the Middle (MitM) attacks
Effective PracticesWorking Group
802.11b Confidentiality Solutions
WEP - To secure 802.11b using WEP (Wireless Equivalent Privacy) you need to (most sites don’t do these):
• Lock down MAC (physical Ethernet) addresses
• Set a network name (non-blank & non-guessable).
• Configure a static shared secret (or set of secrets).
• Change frequently.
• Purchase 64 or 128 bit cards & base units.
Non-WEP – Use appl. Level cryptography (SSL, etc.)
• Use and/or require VPNs
Effective PracticesWorking Group
802.11b Integrity Solutions: Best Practices
Network Access Control
(Protect against ARP cache poisoning)
Don’t connect Wireless Access Points to the wired network
Put Wireless Access Points outside corporate firewall
Firewalling/filtering/blocking WLANs
Use NAT Router / Firewall Wireless Access Points
Use VLANs between wired and wireless networks
Use of Wireless VLANs to segregate
Effective PracticesWorking Group
802.11b Availability Solutions
Note that wireless networks are susceptible to DoS attacks and have very limited shared bandwidth-- THEREFORE THEY ARE NOT SUITABLE REPLACEMENTS FOR A WIRED NETWORK when you need high reliability (e.g. Patient or animal subject RT monitoring).
That said, they can be a useful part of a BCP, Disaster Recovery strategy (Sept. 11, 2001 WTC cases) in the event of a wired network failure, for Internet access.
Suitable shielding may protect internal 802.11b nets.Intentional jamming may prevent 802.11b use…put outside external
shielding.Don’t use omni-directional antennas to decrease the spread of
signal, area of reception – particularly on P2P links.
Effective PracticesWorking Group
802.11b Authentication / Authorization / Accounting Solutions
Use of VPNs over Wireless LANs Virtual Private Networks – PPTP, L2TP, IPSEC Username / Password, Hardware tokens, X.509 certificates.
Proprietary Secure Authentication Enhancements
• Cisco Aironet 350 enhances WEP with RADIUS userauthentication vs MAC address. Adds infinite number of WEP keys (vs. one –Apple-- or four -- Lucent).
Secure Web based authentication approaches
Effective PracticesWorking Group
802.1X “Provides”
• Authentication (various methods)
• Port based access control
• NOT confidentiality (uses WEP)
• Can provide dynamic WEP key mgt
• (CISCO uses EAP to provide this)
Effective PracticesWorking Group
802.11b + 802.1X “Fixes”
• Add MAC (Message Auth Check) to EAP and 802.11b mgt msgs
• Time sync communications between PC and Aps
Effective PracticesWorking Group
WPA (WiFi Protected Access)
Forward compatible with IEEE 802.11i draft standard (except 802.11i adds AES encryption).
EAP (Extensible Access Protocol)
TKIP (Temporal Key Integrity Protocol)
MIC (Message Integrity Check)
802.1X (for auth and dynamic key exchange
Effective PracticesWorking Group
WPA Operation
WPA will provide a TKIP encryption key to both PC and AP to provide secure session.
In absence of an authentication server (e.g. a home or small office network) WPA will use PREShared key mode (manual fixed password/key)
Legacy operation (old gear).
Effective PracticesWorking Group
Requirements for WPA
WPA AP w/TKIP & 802.1X
WPA Client w/TKIP, 802.1X & EAP “supplicant” supporting auth method/server
Authentication server on network (e.g. RADIUS) w/strong EAP:
• TLS• TTLS• PEAP/LEAP
Effective PracticesWorking Group
Comparison of WEP & WPA
WEP 40 bit static keys manually distributed Flawed or no authentication
WPA 128 bit dynamic keys automatically distributed w/ per
user/session/packet keys 802.1X and EAP authentication
WPA2 WPA2 is WPA plus AES (Advanced Encryption
Standard). It is 802.11i compliant.
Effective PracticesWorking Group
Proprietary Wireless Security
Lucent (Orinoco) - Created first features:
1. “closed network” - Don’t broadcast SSID
(e.g. turn of AP broadcast ‘beacon frames’).
2. 128 bit WEP (WEP Plus - 40bits -> 104bits)
WEB key crack from days to 20 weeks
(but other WEP flaws bring time to 0)
Effective PracticesWorking Group
Proprietary Wireless Security
CISCO (340/350/…) - features:
Dynamically Generated Short-lived (Broadcast) WEP keys
(in an early firmware release)
Effective PracticesWorking Group
Non-Proprietary Wireless Security
MAC Address Filtering
Description:Register Physical Addresses of authorized devices
Flaws:1. Must be registered in list in AP or in a server (e.g.
special RADIUS server).2. Physical Addresses can easily be spoofed.
Effective PracticesWorking Group
Non-Proprietary Wireless Security
VPN (with or without filtering/blocking of non-VPN traffic)
Description:Tunnel all wireless traffic through VPN sessions. Require VPN connection to a specific VPN server.Provides CIA (Confidentiality, Integrity & Auth).
VPN (PPTP, L2TP, IPSEC) choice.
Potential Flaws:1. Redundant encryption (if also using WEP).2. Bandwidth hog / latency problem.
Effective PracticesWorking Group
Non-Proprietary Wireless Security
802.1X -- Extensible Authentication Protocol Designed for wired AND wireless LANs.Can filter or enable ports and/or MAC addresses on switches and APs.Not a cipher.Not a single authentication method: EAP-MD5 EAP-Cisco Wireless (aka LEAP) EAP-TLS (Microsoft, RFC2716) EAP-TTLS PEAP (Microsoft and Cisco) EAP-SIM proposal (use GSM SIM cards)
Effective PracticesWorking Group
Non-Proprietary Wireless Security
802.1X -- EAP Authentication “bucket”
EAP-MD5
Description:MD5 Hashing of user/pass creds -- pass to RADIUS
Flaws:No key mgt -- uses static WEP keys.
Effective PracticesWorking Group
Non-Proprietary Wireless Security
802.1X -- EAP Authentication “bucket”
EAP-CISCO WIRELESS (LEAP)
Description:Username/ password credentials-- passed to RADIUS
Benefits
generates one-time WEP keys for each sessioncan use RADIUS timeout features to nullify current WEP attacks,prevents rogue AP association attacks(by mutual auth requirement)
Flaws or Drawbacks:Needs special 802.11b driver to support LEAP
Effective PracticesWorking Group
Non-Proprietary Wireless Security
802.1X -- EAP Authentication “bucket”
EAP-TLS (Microsoft, RFC2716)
Description:
uses X.509 certs for auth, uses SSL/TLS to pass the PKI info
Benefitsgenerates one-time WEP keys for each session ala LEAP.
Flaws or Drawbacks:Needs special 802.11b driver (clients). special clients are available for some Linux distros and all non-CE Windows).
Drawback -- requires a PKI & certs. Microsoft Certificate Server and AD LDAP server can be used in an Active Directory
Environment.
Effective PracticesWorking Group
Non-Proprietary Wireless Security
802.1X -- EAP Authentication “bucket”
PEAP (Microsoft and Cisco)
Description:
Similar to EAP-TLS but uses username/password rather than certs. uses SSL/TLS to pass the credentials
Benefitsgenerates one-time WEP keys for each session ala LEAP.PKI and user certificate is not required.
Flaws or Drawbacks:Needs special 802.11b driver (clients). special clients are available -- particularly for Windows XP SP1.
Effective PracticesWorking Group
Proprietary Wireless Security Systems
ArubaBlueSocketEcutelReefEdgeVernier
Effective PracticesWorking Group
SurveyWhich WLAN security modes are you using (check all
that apply):1. None2. MAC Address Filtering3. Application Level (SSL)4. VPN5. Proprietary6. WEP7. WPA8. 802.1x9. 802.11i10. EAP
EAP Modes:
A. EAP-MD5
B. LEAP (Cisco)
C. EAP-TLS (Microsoft, RFC2716)
D. PEAP (Microsoft, Cisco)
E. Other EAP (EAP-SIM, TTLS)
Effective PracticesWorking Group
Publish Campus WiFi Information on Web?
0
2
4
6
8
10
YesNo
Yes 9 10
No 6 5
SSID? Hotspot Map?
Effective PracticesWorking Group
# WiFi WLAN Standards implemented
0
5
10
15
YesNo
Yes 4 15 7 0
No 12 1 8 15
802.11a 802.11b 802.11g Super-G
Effective PracticesWorking Group
WiFi Encryption / Authentication Modes
0
5
10
15
Yes
No
Yes 10 1 7
No 5 14 8
WEP WPA 802.1X
Effective PracticesWorking Group
801.X Authentication Protocols Implemented
0
2
4
6
8
10
12
14
16
EAP-MD5
LEAP(Cisco)
PEAP EAP-TLS TTLS
YesNo
Effective PracticesWorking Group
Commercial Secure WiFi Vendor Implementations
0
5
10
15
Implemented 1
No 13
Evaluating 1
BlueSocket
Perfigo Eval
None
Effective PracticesWorking Group
WLAN / Campus Network Topology Independence
0
2
4
6
8
10
12
Yes 12 5 6 9
No 3 10 9 6
WLAN VLAN
Private IP
Non-campus
Campus Public
Effective PracticesWorking Group
Net Sec Access Control--Firewall between WLAN &
0
2
4
6
8
10
12
YesNoNot Yet
Yes 4 8
No 11 6
Not Yet 0 1
Campus Net Internet
Effective PracticesWorking Group
VPN Session Required from WLAN to connect to:
02
4
6
810
12
YesNoNot Yet
Yes 2 3
No 12 12
Not Yet 1 0
Outside of WLAN
Campus Net
Effective PracticesWorking Group
WLAN Data Link LayerSecurity Protections
0
5
10
15
Yes 6 2 3 5
No 9 13 12 9
Not Yet 0 0 0 1
MAC ACLs
Anti Spoof
Private SSID
No ID Bcast
Effective PracticesWorking Group
WLAN Security Counter-Measures
0
5
10
15
Yes 5 0
No 10 15
Force WAP Associations
Jamming Capability
Effective PracticesWorking Group
WLAN Authentication 1
0
5
10
15
Yes 1 8 6 6
No 14 7 9 8
Not Yet 0 0 0 1
Allow Unauth
NetRegDHCP
Web Logon
802.1X Logon
Effective PracticesWorking Group
WLAN Authentication 2
0
0.5
1
1.5
2
Yes 1 0 2
X.509 Certs SmartCard VPN Auth
Effective PracticesWorking Group
WEP/WPA Encryption
0 5 10 15 20
WEP 40 Static
WEP > 64 Static
WEP 40 Dynamic
WEP > 64 Dynamic
WPA 128 Static
WPA 128 & 802.1X
Not YetNoYes
Effective PracticesWorking Group
Encryption Requirement by WLAN Protocol Layer
0
2
4
6
8
Don't Care 5 4 5 5 5
Recommend 6 6 2 2 2
Require 2 3 5 5 5
Application
Session Transport
Network
Data Link
Effective PracticesWorking Group
WLAN Policies 1
0
2
4
6
8
Yes 8 6
No 7 7
N / A 0 2
RF Airspace Reserved
Require Non-IT WAP Stds
Effective PracticesWorking Group
WLAN Policies 2 - Allow WLANs outside IT?
0
2
4
6
8
10
12
Yes 5 4 3
No 10 11 12
Non-IT Dept WAPs
Faculty WAPs
Student WAPs
Effective PracticesWorking Group
Interesting or Unique Practices and Findings
Not all devices support > 64 bit WEP so 40 bit must often be used.
A few campuses are moving from Cisco LEAP to PEAP or EAP-TLS.
Rutgers is using BlueSocket:http://ruwireless.rutgers.edu/
Dartmouth has widespread WiFi and VoIP over WiFi.
Several campuses use NoCat for both wired and wireless authentication (and thereby enable access).
Effective PracticesWorking Group
More Interesting/Unique Practices and Findings
Companies are marketing for-pay public WiFi access points which you can hang off of any high speed Internet connection. These boxes allow users passing by to associate and pay for access by credit card. Look for students to try to make $$$?
Effective PracticesWorking Group
Yale University - Unwritten Wireless Policy
Do no harm: Private Wireless Access Points which cause network disruption at Yale will be removed from the network (this includes causing interference by overlapping RF channels, etc). Use of WEP or WPA is encouraged.Private Access Points should not use the Yale SSID.WiFi users are encouraged to use the VPN to access critical apps or sensitive information.Yale Administrative users should not use WiFi to replace wired LAN connections.The above admin apps should already however be using application level security on wired networks.
Effective PracticesWorking Group
Yale School of MedicineWireless Policy Points
All private WAPS need to be registered. The default SSID must be changed to something other than Yale’s and the default passwords must be changed.
The WAP must only allow WEP and should implement MAC address filtering.
It should be turned off if/when not used.
Effective PracticesWorking Group
Yale School of MedicineWireless Policy Points
Official YSM WiFi Security :ePHI should not be transferred unencrypted.YSM ITS WLANs are changing from VPN (either
PPTP or IPSEC) recommended to required. DHCP will vend a RFC1918 private IIP to the YSM WLAN. Users must authenticate to the VPN and use it to connect to any resources outside of the WLAN.
Clients w/o registered MAC addresses or valid VPN sessions attempting HTTP connections to
Addresses outside the WLAN VLAN are redirected to a web portal where documentation and software are available (but little else).
Effective PracticesWorking Group
Wireless Data Risks and Threats – What are we worried about?
Controlling Access to our Network Preventing intruders and disallowing anonymous access. Identifying and authenticating “trusted” users and devices. Authorization and network access control
Confidentiality Preventing eavesdropping and decryption to ensure privacy.
Integrity Preventing tampering and session hijacking.
Availability Ensuring quality of service, preventing denial of service.
Effective PracticesWorking Group
Wireless Security Problems
Default Passwords
Open Broadcast of SSIDs
No or weak encryption.
Lack of authentication.
Accidental & Malicious association w/rogue APs (M-I-T-M tampering possible).
Sniffing
Spoofing
Denial of Service (DoS) Attacks (Dis-association, Jamming)
Attacks from outside: Spammers & Worms
Effective PracticesWorking Group
Wireless Security Problems
Network Attacks (Spoofing and Denial of Service (DoS) Attacks) -- Layers 1 thru 3.Layer 1: Malicious AP overpowering a valid APLayer 2: Spanning Tree packet (802.1D) attacks. Broadcasts causing loops in redundant LANs.Layer 2: Attacks on EAP endpoints (spoofed start/logoff commands, bogus connect/failure msgs)Layer 3: ARP Cache Poisoning.Sending spoofed unsolicited ARP replies to computers to have them divert packets.
Effective PracticesWorking Group
WiFi Security Pre-WPA/802.11iGuidelines for Enterprise IT
Disable SSID broadcasts & use non-obvious SSIDUse WEP.Use a separate VLAN & private IP net for WLAN.Firewall WLAN off from the corporate intranet.Require of use VPN to enter the corporate intranet.Use MAC Address filtering -- block nonregisteredForce client association -- to known SSIDMonitor airspace -- war-walk/chalk/drive/run AND look into WiFi perimeter protection products and systems.Use 802.1X Layer 2 Authentication with EAP & RADIUS
Effective PracticesWorking Group
WPA (WiFi Protected Access)
Forward compatible with IEEE 802.11i draft standard (except 802.11i adds AES encryption).
EAP (Extensible Access Protocol)
TKIP (Temporal Key Integrity Protocol)
MIC (Message Integrity Check)
802.1X (for auth and dynamic key exchange
Effective PracticesWorking Group
What WPA and 802.11i Provide:
Strong integrity.
Strong encryption Particularly AES vs. WEP encryption
implementation Dynamic Key Generation/Re-generation
Strong authentication capability (w/802.1X/EAP).
Increased DoS (Denial of Service) protection - particularly against Dis-association attacks
Effective PracticesWorking Group
What is WPA2?WPA2 == 802.11iWPA2 & 802.11i include AESWPA2 is basically (WPA + AES).WPA does not and it uses TKIP. WPA IS secure.AES meets FIPS 140-2 (req’d by some Gov’t agencies).AES can require new hardware or hardware upgrades as it can require a new dedicated crypto chip.Several WiFi vendors are now ‘WPA2” compliant:
Effective PracticesWorking Group
Conclusions
Few using WEP, some are now starting to evaluate WPA (and wait for 802.11i).Some use of commercial solutions (Vernier, Aruba, some ReefEdge and BlueSocket)?Some interest is beginning in ‘network admissions’ (require both authentication and a network scan ala UCONN NetReg mods) programs for both wired and wireless LANs:Cisco, Perfigo, StillSecure and Bradford Campus Manager.