2012 ah vegas wlan security fundamentals

CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 1

SECURITY FUNDAMENTALS

Presented By Andy Logan Aruba Networks

CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 2 2 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved

Why Does Security Matter?

3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved

No Wireless Policies or Doing Nothing!

• Consumer grade wireless LAN equipment is cheap and easily available!– If the IT department doesn’t deploy

wireless, someone else will"• How do you enforce “No Wireless”

policies?!


The Existence of Wireless LANs is a Security Threat!

Your Company

Your employee

New York City

§  Employee’s a subscriber to public Wi-Fi hotspot service §  Employee’s laptop automatically associates with public Wi-Fi hotspot §  Plugs into wired corporate network §  Traffic bridged between public hotspot and enterprise network


RF Security Myths


RF Engineering!


Defeating RF Engineering for $7!

7 http://www.oreillynet.com/lpt/wlg/448


SSID Cloaking!

• Best practice?!– “Configure APs to not broadcast the SSID”"

• At best, this can discourage a bad guy!• The SSID is not the same as a password!


Discovering Cloaked SSIDs!

linux:~# ./essid_jack -h!Essid Jack: Proof of concept so people will stop calling an ssid a password.!!Usage: ./essid_jack -b <bssid> [ -d <destination mac> ] [ -c <channel number> ] [ -i!ccc.gif <interface name> ]! ! -b: bssid, the mac address of the access point (e.g. 00:de:ad:be:ef:00)! -d: destination mac address, defaults to broadcast address.! -c: channel number (1-14) that the access point is on,! defaults to current.! -i: the name of the AirJack interface to use (defaults to! aj0).! !linux:~# essid_jack -b 00:03:2d:de:ad: -c 11!Got it, the essid is (escape characters are c style):!“s3kr1t_wl4n"!


MAC Address Filtering!

• Some APs offer “MAC address filtering”!

• Does not scale to large networks !

• Trivial to defeat!!


WEP - Wired Equivalent Privacy!

• Part of original 802.11 specification!• Static WEP: everyone uses the same

key, all the time!• Dynamic WEP: everyone uses a

different key, assigned at each authentication!

• Broken – NOT recommended for deployment!


Is WEP really that bad?!

• Using WEP is like saying “I’d rather you didn’t use my network”!

• Dynamic WEP is slightly better than static WEP, but it is still WEP!


Other things to Avoid...!

• Cisco LEAP (vulnerable to dictionary attacks)!• EAP-FAST (doesn’t securely provide mutual

authentication)!• Use caution with WPA-Personal/WPA-PSK (more

later...)!• Proprietary “shielding” or “scrambling” (easy to

defeat)!• Don’t assume your “no wireless” policy means

that you don’t have wireless!


No Wi-Fi? Scan Your Network!

• Turn on your Wi-Fi adapter and let your OS scan the environment where you work!– You may be surprised at the number of networks

your system will detect "– Constant scanning is a must if you want an

effective policy"• Download tools to help you audit your

systems!– http://accessagility.com/products/wifi-scanner.html"– http://www.netstumbler.com/downloads/"– http://www.remote-exploit.org/backtrack.html"

14


Wi-Fi Scanner


Securing Wi-Fi


Key Security Principles!

• Principle of Least Privilege!– Authentication, identity-based security, firewalls"

• Defense in Depth!– Authentication, encryption, intrusion protection,

client integrity"• Prevention is ideal, detection is a must!–  Intrusion detection systems, log files, audit trails,

alarms, and alerts"• Know Thy System!–  Integrated management, centralization"


Network Access Control (NAC)

•  Identity-Based Policy Control –  Authenticate users –  Assess user role, device, location, time,

application. –  Policies follow users throughout network –  (Aruba PEF)

•  Health-Based Assessment –  Client health validation –  Remediation –  Ongoing compliance –  (ClearPass OnGuard)

•  Network-Based Protection –  Stateful firewalls to enforce policies

and quarantine –  User/device blacklisting based

on Policy Validation –  (Integration with ESI)

Network-Based Protection

Identity-Based Policy Control

Health-Based Assessment


Authentication

•  802.1X is best for Wi-Fi. Works with all modern client operating systems

•  Makes use of EAP (Extensible Authentication Protocol)

•  802.1X authentication happens at L2 – users will be authenticated before an IP address is assigned


Common EAP Types

• EAP-TLS – Clients use certificates to authenticate

• PEAP – Clients use passwords to authenticate –  Inner EAP type: MSCHAPv2 (password is in

MSCHAPv2 format) –  Inner EAP type: GTC (password is cleartext inside

PEAP tunnel)


Authentication with 802.1X: PEAP

EAPOL (EAP over LAN) RADIUS

Encrypted Tunnel

Authentication Server AP/Controller

STA


Local EAP Termination

EAPOL (EAP over LAN) RADIUS/LDAP (optional)

EAP Session

Authentication Server AP/Controller

STA


Encrypt the Data

•  If intruders can’t read the data, there’s no need to worry where it goes –  WEP •  Simple to do, easy to crack •  No key management •  Don’t do it

–  TKIP (Temporal Key Integrity Protocol) •  Works on legacy hardware (pre-2003) •  First major flaw published in November 2008 •  Flaw is getting worse with more research •  Not currently recommended

–  CCMP/AES •  Encryption using AES •  Considered state-of-the-art •  Government approved (FIPS, CESG, etc.) •  Works on all modern hardware


Combining Authentication & Encryption: WPA

•  WPA == Wi-Fi Protected Access •  WPA –  Wi-Fi Alliance “standard” based on pre-802.11i –  Includes TKIP for encryption

•  WPA2 –  Wi-Fi Alliance “standard” based on ratified 802.11i –  Includes TKIP and CCMP for encryption

•  For both: –  WPA-Enterprise == 802.1X for authentication, dynamic

encryption keys –  WPA-Personal == pre-shared authentication key – careful!


WPA-Personal? Be careful..

• WPA Personal does not use 802.1X •  Pre-shared key •  Easier •  But less secure

• Problem 1: Scalability •  Need to re-key any time an employee/user leaves

the organization • Problem 2: Using weak keys

•  WPA-PSK keys that are weak can be cracked (dictionary attack)


Configure WPA Properly

•  Configure the Common Name of your RADIUS server (matches CN in server certificate)

•  Configure trusted CAs (an in-house CA is better than a public CA)

•  ALWAYS validate the server certificate

•  Do not allow users to add new CAs or trust new servers

•  Enforce with group policy


Authorize the Data

Corporate Services

Guest

Data

Voice

Signage

PoS

Virtual AP 1 SSID: Corp

Virtual AP 2 SSID: GUEST

DMZ

ClearPass Guest Access

Captive Portal

Role-Based Access Control

Access Rights

Secure Tunnel To DMZ

SSID-Based Access Control PoS

Data

Voice

Signage

Guest

RADIUS LDAP AD


Why Worry About Authorization?

§ Mobility brings us: § Disappearance of

physical security § New mobile users,

devices appearing everyday

§  Increased exposure to malware

§ Assuming that “the bad guys are outside the firewall, the good guys are inside” is a recipe for disaster


“Hole 196” – An Insider Attack

Vulnerability •  STA accepts unicast IP frame

encrypted in RSN broadcast/group key

•  Allows spoofing of ARP and DNS which leads to Man-in-the-middle attacks

Aruba Mitigation: # firewall prohibit-ip-spoofing # firewall prohibit-arp-spoofing


PEF to Control Wireless Performance

Multicast/ Broadcast

Chatty Protocols

Power Users Stealing B/W

Malicious or Misconfigured Clients

Lack of Policy Impacts Network Reliability & Performance!

•  What are Multicast and Broadcast currently being used for?"•  What problems am I creating by using large VLANs to solve

mobility issues?"•  What non-critical applications are consuming bandwidth?"•  Should users be connecting to 3rd party WLANs?"•  Should users be setting up their own WLANs?"•  Should users be connected to wireless while wired?"•  How are “Power” Users affecting others?"•  How are unauthorized users affecting network availability?"

Bonjour!


Wireless Intrusion Prevention - RFProtect

•  Integrated –  It knows your clients and APs

•  Uncontrolled wireless devices –  Rogue APs –  Laptops acting as bridges –  Misconfigured laptops –  Ad-Hoc networks

•  Attacks against the WLAN –  Denial of Service/flooding –  Forged de-authenticate/disassociate –  Man-in-the-Middle –  WEP cracking –  WPA-PSK cracking


TotalWatch Full Spectrum Monitoring

•  Complete Coverage –  2.4-GHz and 5-GHz scanning –  4.9-GHz public safety band

•  5-MHz channel increment scanning –  Rogue detection in-between channels

2.4 GHz 4.9 GHz 5.0 GHz

5-MHz channel scanning


Aruba Air Monitor

Client

Client Tarpit Containment

•  Does not waste air-time during threat mitigation •  Works against any brand and type of wireless device

Aruba Air Monitor

�

�

�Client is trying to

associate to rogue AP Air Monitor creates

tarpit with fake channel or fake BSSID

�Client associates to Air Monitor tarpit in preference to rogue

�Client stops

association attempts to rogue

�

� �

Rogue Access Point

Rogue Access Point

Client


Hotspotter/KARMA Attack

Client

Hotspotter/KARMA

Listen mode Broadcast probe-requests

Probe: Linksys Probe: tmobile Probe: MyCorpSSID

Client

Hotspotter/KARMA

Advertise SSID Listen

Probe response: tmobile Beacon: tmobile

RFprotect will detect Hotspotter!


KARMA Example


Control Compromised Devices

Detect unsecure devices

•  Block access to network resources across wired, wireless & remote

•  Auto-Remediate the device

•  Minimal Risk to Network

Access Network ClearPass Policy Manager with

OnGuard


Posture with MS NAP Agent Windows NAP Agent ClearPass Policy Manager Aruba Controller

Health information is sent in authentication request

If Posture met: CPPM sends Role to Controller

Controller sends proper role and full access

If posture NOT met: CPPM sends Quarantine Role to Controller

1

2

Controller places endpoint in quarantine role

A.  NAP agent attempts auto-remediation (if enabled on CPPM) and re-authenticates B.  User addresses compliance issues and tries to manually re-authenticate


Posture with OnGuard Agent Windows w/OnGuard Agent ClearPass Policy Manager Aruba Controller

Authentication request is forwarded to CPPM

CPPM sends Quarantine Role to Controller Controller places endpoint in quarantine 1

A.  OnGuard returns Good health information, or B.  OnGuard enables auto-remediation (if enabled on CPPM) and re-authenticates, or C.  User addresses compliance issues and tries to manually re-authenticate

CPPM sends Full Access Role to Controller Controller sends role and Full access

When health is good or remediation is successful Information is send back to CPPM


Centralization solves security and TCO for WLANs

“Thin” Access Points

Centralized Mobility Controller

802.11a/b/g

Antennas

Policy

Mobility

Forwarding

Encryption

Authentication

Management

“Autonomous” Access Points

Centralization vs. Decentralized


Advanced Security – Suite B


Advanced Cryptography – Suite B

•  Suite B is a set of cryptographic algorithms approved by US National Security Agency (NSA) –  AES-GCM –  ECDSA –  ECDH –  SHA2

•  Suite B can be used by government/militaries to protect classified information


Aruba Suite B Implementation

•  Requires Advanced Cryptography License (ACR) •  IPsec –  ArubaOS 6.1.0.0 –  RFC 4869 “Suite B Cryptographic Suites for IPsec” –  Supported by VIA 2.0

crypto ipsec transform-set <foo> esp-aes128-gcm

•  bSec –  ArubaOS 6.1.4.0-FIPS –  L2 protocol – works like WPA2 –  Specification is open to any vendor (only Aruba today) –  Supported by VIA 2.1 for Windows – other platforms coming

wlan ssid-profile <foo> opmode wpa2-aes-gcm-128


Putting It All Together


Today’s Wireless Gold Standard

•  Centralized, tunneled access •  Keep clients updated – drivers too! •  Wireless intrusion detection –  Control uncontrolled wireless –  Locate and protect against rogue APs

•  WPA-2 –  Authentication using 802.1X and EAP-TLS –  AES for link-layer encryption

•  Strong passwords –  SecureID or other token-card products (maybe…) –  Strong password policies

•  Authorization with identity-aware firewalls –  Enforce principle of least privilege –  Provide separation of user/device classes

CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 45

Technology

2012 ah vegas wlan security fundamentals