Bài giảng Wireless Network Security

Wireless Network SecurityTJX Data Breach (Marshalls, T.J. Maxx, HomeGoods, A.J. Wright)TJX used WEP security They lost 45 million customer recordsThey settled the lawsuits for $40.9 millionObjectivesDescribe the basic IEEE 802.11 wireless security protectionsDefine the vulnerabilities of open system authentication, WEP, and device authenticationDescribe the WPA and WPA2 personal security modelsExplain how enterprises can implement wireless securityIEEE 802.11 Wireless Security ProtectionsIEEEInstitute of Electrical and Electronics Engineers (IEEE), 1963In the early 1980s, the IEEE began work on developing computer network architecture standardsThis work was called Project 802In 1990, the IEEE formed a committee to develop a standard for WLANs (Wireless Local Area Networks)At that time WLANs operated at a speed of 1 to 2 million bits per second (Mbps)IEEE 802.11 WLAN StandardIn 1997, the IEEE approved the IEEE 802.11 WLAN standardRevisionsIEEE 802.11 (2,4 GHz, 2 Mbps)IEEE 802.11a (5 GHz, 54 Mbps, 25- 75m)IEEE 802.11b (2.4 GHz, 11 Mbps, 35- 100m)IEEE 802.11g (2.4 GHz, 54 Mbps, 25- 75m)IEEE 802.11n (2.4 GHz, 5GHz, 300 Mbps, 50- 125m)Controlling Access to a WLANAccess is controlled by limiting a device’s access to the access point (AP)Only devices that are authorized can connect to the APOne way: Media Access Control (MAC) address filteringCSE uses this technique (unfortunately)Controlling AccessMAC Address FilteringWired Equivalent Privacy (WEP)Designed to ensure that only authorized parties can view transmitted wireless informationUses encryption to protect trafficWEP was designed to be:Efficient and reasonably strongWEP KeysWEP secret keys can be 64 or 128 bits longThe AP and devices can hold up to four shared secret keysOne of which must be designated as the default keyWEP Encryption ProcessTransmitting with WEPDevice AuthenticationBefore a computer can connect to a WLAN, it must be authenticatedTypes of authentication in 802.11Open system authenticationLets everyone inShared key authenticationOnly lets computers in if they know the shared keyVulnerabilities ofIEEE 802.11 SecurityOpen System AuthenticationTo connect, a computer needs the SSID (network name)Routers normally send out beacon frames announcing the SSIDPassive scanningA wireless device listens for a beacon frameTurning Off BeaconingFor "security" some people turn off beaconsThis annoys your legitimate users, who must now type in the SSID to connectIt doesn't stop intruders, because the SSID is sent out in management frames anywayIt can also affect roamingWindows XP prefers networks that broadcastMAC Address Filtering WeaknessesMAC addresses are transmitted in the clearAn attacker can just sniff for MACsManaging a large number of MAC addresses is difficultMAC address filtering does not provide a means to temporarily allow a guest user to access the network Other than manually entering the user’s MAC address into the access pointWEPTo encrypt packets WEP can use only a 64-bit or 128-bit numberWhich is made up of a 24-bit initialization vector (IV) and a 40-bit or 104-bit default keyThe 24-bit IV is too short, and repeats before longIn addition, packets can be replayed to force the access point to pump out IVsCracking WEPWith the right equipment, WEP can be cracked in just a few minutesYou need a special wireless cardPersonal Wireless SecurityWPA Personal SecurityWireless Ethernet Compatibility Alliance (WECA)A consortium of wireless equipment manufacturers and software providersWECA goals:To encourage wireless manufacturers to use the IEEE 802.11 technologiesTo promote and market these technologiesTo test and certify that wireless products adhere to the IEEE 802.11 standards to ensure product interoperabilityWPA Personal SecurityIn 2002, the WECA organization changed its name to Wi-Fi (Wireless Fidelity) AllianceIn October 2003 the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA)WPA had the design goal to protect both present and future wireless devices, addresses both wireless authentication and encryptionPSK addresses authentication and TKIP addresses encryptionWPA Personal SecurityPreshared key (PSK) authenticationUses a passphrase to generate the encryption keyKey must be entered into both the access point and all wireless devicesPrior to the devices communicating with the APThe PSK is not used for encryptionInstead, it serves as the starting point (seed) for mathematically generating the encryption keysTemporal Key Integrity Protocol (TKIP)WPA replaces WEP with TKIPTKIP advantages:TKIP uses a longer 128-bit keyTKIP uses a new key for each packetMessage Integrity Check (MIC)WPA also replaces the (CRC) function in WEP with the Message Integrity Check (MIC)Designed to prevent an attacker from capturing, altering, and resending data packetsWPA2 Personal SecurityWi-Fi Protected Access 2 (WPA2)Introduced by the Wi-Fi Alliance in September 2004The second generation of WPA securityStill uses PSK (Pre-Shared Key) authenticationBut instead of TKIP encryption it uses a stronger data encryption method called AES-CCMPWPA2 Personal SecurityPSK AuthenticationIntended for personal and small office home office users who do not have advanced server capabilitiesPSK keys are automatically changed and authenticated between devices after a specified period of time known as the rekey intervalPSK Key Management WeaknessesPeople may send the key by e-mail or another insecure methodChanging the PSK key is difficultMust type new key on every wireless device and on all access pointsIn order to allow a guest user to have access to a PSK WLAN, the key must be given to that guestPre-Shared Key WeaknessA PSK is a 64-bit hexadecimal numberUsually generated from a passphraseConsisting of letters, digits, punctuation, etc. that is between 8 and 63 characters in lengthIf the passphrase is a common word, it can be found with a dictionary attackCracking WPACracking WPAWPA2 Personal SecurityAES-CCMP EncryptionEncryption under the WPA2 personal security model is accomplished by AES-CCMPThis encryption is so complex that it requires special hardware to be added to the access points to perform itWPA and WPA2 ComparedEnterprise Wireless SecurityIEEE 802.11iImproves encryption and authenticationEncryptionReplaces WEP’s original PRNG RC4 algorithmWith a stronger cipher that performs three steps on every block (128 bits) of plaintext802.1x AuthenticationIEEE 802.11iKey-cachingRemembers a client, so if a user roams away from a wireless access point and later returns, she does not need to re-enter her credentialsPre-authenticationAllows a device to become authenticated to an AP before moving into range of the APAuthentication packet is sent aheadWPA Enterprise SecurityDesigned for medium to large-size organizationsImproved authentication and encryptionThe authentication used is IEEE 802.1x and the encryption is TKIPWPA Enterprise SecurityIEEE 802.1x AuthenticationProvides an authentication framework for all IEEE 802-based LANsDoes not perform any encryptionTKIP EncryptionAn improvement on WEP encryptionDesigned to fit into the existing WEP procedureWPA2 Enterprise SecurityThe most secure methodAuthentication uses IEEE 802.1xEncryption is AES-CCMPEnterprise & Personal Wireless Security ModelsEnterprise Wireless Security DevicesThin Access PointAn access point without the authentication and encryption functionsThese features reside on the wireless switchAdvantagesThe APs can be managed from one central locationAll authentication is performed in the wireless switchEnterprise Wireless Security DevicesEnterprise Wireless Security DevicesWireless VLANsCan segment traffic and increase securityThe flexibility of a wireless VLAN depends on which device separates the packets and directs them to different networksEnterprise Wireless Security DevicesFor enhanced security, set up two wireless VLANsOne for employee accessOne for guest accessRogue Access Point Discovery ToolsWireless protocol analyzerAuditors carry it around sniffing for rogue access pointsFor more security, set up wireless probes to monitor the RF frequencyTypes of Wireless ProbesWireless device probeDesktop probeAccess point probeDedicated probe