1 / 30

Wireless Authentication via EAP-FAST

Wireless Authentication via EAP-FAST. MSIT 458: Security (Professor Chen). Party of Five Brandon Hoffman Kelly Koenig Azam Masood Phil Nwafor. Agenda. The Need Alternatives Considered Our Solution (Technical Detail) Real World Example Q & A. The Need. What’s the Big Deal?.

ghita
Télécharger la présentation

Wireless Authentication via EAP-FAST

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Authentication via EAP-FAST MSIT 458: Security (Professor Chen) Party of Five Brandon Hoffman Kelly Koenig Azam Masood Phil Nwafor

  2. Agenda • The Need • Alternatives Considered • Our Solution (Technical Detail) • Real World Example • Q & A

  3. The Need

  4. What’s the Big Deal? Many considerations need to be made to ensure the system is: With the increase in usage of wireless-based technologies, security has formulated a substantial focus of IT departments globally. • Effective • Efficient • Easy for end users and administrators

  5. Tenets of Effective Security* • Secure network platform with integrated security that is scalable to advanced security technologies and services • Threat control services focused on antivirus protection and policy enforcement. • Secure communication services that maintain privacy and confidentiality of sensitive data. *Cisco Systems

  6. Security: Business Benefits • Rapidly identify and respond to evolving threats • Enforce business policies • Protect critical assets • Decrease complexity • Ease the administrative burden of IT • Lower total cost of ownership

  7. Our Scope The current wireless security implementation is effective but manually intensive. • Wireless users need to have an account created manually • The accounts expire and need manual attention • The credentials for wireless require a PAC (certificate) to access the system that must be manually installed • The wireless users authenticate to an island as opposed to the enterprise Identity Vault

  8. *Culled from Secure Wireless: Integrity of Information on the Move (Cisco Paper)

  9. *Culled from Secure Wireless: Integrity of Information on the Move (Cisco Paper)

  10. *Culled from Secure Wireless: Integrity of Information on the Move (Cisco Paper)

  11. Alternatives Considered

  12. Wireless Authentication WPA & WPA2: • Designed as a stop gap between WEP and 802.1x (EAP) development. • The most common mode of WPA2 is pre-shared key. • Enterprises need a more distributed model.

  13. Wireless Authentication EAP (Extensible Authentication Protocols) were created because a pre-shared key model does not make sense with hundreds or thousands of wireless clients. Wireless Admin using PSK

  14. Variety in EAP There are many variations of EAP types. Some are no longer widely used due to imperfections. • LEAP- Modified version of MS-CHAP. No credential protection. No native Windows Support • PEAP- Joint venture between Cisco and Microsoft. Similar to EAP-TTLS by using PKI server side certs. Users will only know PEAPv0. PEAPv1 includes different inner authentication mechanisms.

  15. Variety in EAP (cont’d) • EAP-(T)TLS - Uses PKI to communicate securely with RADIUS or authentication server. Requires client cert. TTLS only requires server cert. Convenience vs. Security. • EAP-IKEv2 – Mutual authentication and session key establishment. Supports Passwords, Asymmetric, or Symmetric keys. Can utilize different methods in each direction. EXPERIMENTAL. • EAP-FAST – Provides multiple secured tunnels. Flexible inner methods for authentication. Exploits TLS without inconvenience of manual client side certs.

  16. EAP TYPE Comparison The many varieties of EAP that have evolved can be quickly evaluated for specific, enterprise desirable benefits by viewing the charts below

  17. Our Solution

  18. Digging into EAP-FAST EAP-FAST is a Cisco proprietary 802.1x authentication scheme. It contains a feature called “automatic PAC” that allows the system to manage and maintain the user certificates. The mechanism boasts the following features: • Utilizes a series of secure tunnels for credential transport • Leverages existing user credentials and authentication back-end (Radius AAA, and LDAP/IdM3) • Encrypts wireless data with leading edge encryption methods such as WPA2 AES-CCMP • EAP-FAST is a triple phase authentication mechanism

  19. EAP-FAST Phase Zero Phase zero is essential to the automatic PAC creation process. • EAP-FAST requires the use of Cisco’s ACS server • Phase zero has several custom radius elements and wireless client components • Phase zero consists of the ACS server opening and SSL tunnel with the client • It then checks the credentials sent via GTC (for generic LDAP) against the enterprise identity system • If valid it creates a PAC and sends it to the client.

  20. EAP-FAST Phase One Phase one is where the ACS server and the client setup the TLS tunnel. • The client sends a Hello message to the server • The server responds with a variety of information • The client checks the info and sends its encrypted PAC file to the server for mutual authentication • Once completed the master secret is generated and the TLS tunnel is opened. At this point, Phase Two may now commence.

  21. EAP-FAST Phase Two Phase two is very simple. • The TLS tunnel is already established, the client simply sends its unencrypted credentials to the ACS server • The ACS server forwards the information to the LDAP server and upon a positive response grants network access.

  22. Real World: Case Studies

  23. Large Telecommunications Company CHALLENGES • Provide a unique access point for guests and employees. • Provide employees with a similar end-user experience to the one they have now (transparency) • Reduce maintenance related costs incurred by IT department

  24. Large Telecommunications Company SOLUTION • EAP-FAST as opposed to LEAP solution • Less susceptible to dictionary attack since there is less of a reliance on user’s password strength. • Employ the additional security that EAP-FAST provides through ‘tunneling. • Like LEAP, eschews digital certificate need.

  25. Large Telecommunications Company RESULTS • More secure and cost-effective client access • Tunneling affords less reliance on user passwords by authenticating only after tunnel is established. • Most of this remains transparent to the user. • Repeatable/Predictable and consistent client experience.

  26. Healthcare Case Study CHALLENGES • Lifespan Healthcare emerged as a result of the merger of two of the largest acute care facilities in Rhode Island • Wireless technology was critical strategic and tactical element to support care delivery. • Authentication of mobile clients from two large institutions was a challenge. • Mobile diagnostic devices had to be tethered to Ethernet which was usually logistically inconvenient.

  27. Healthcare Case Study SOLUTION (Same as previous) • EAP-FAST was visited as an authentication alternative due to some of its inherent benefits. • Less susceptible to dictionary attack since there is less of a reliance on user’s password strength. • Employ the additional security that EAP-FAST provides through ‘tunneling. • Like LEAP, eschews digital certificate need.

  28. Healthcare Case Study RESULTS • The goal was achieved through simplified authentication, via EAP-FAST enabling secure mobility to clinical systems. • Facilitated point-of-care functions to physicians and other clinicians anytime, anywhere. • More secure and cost-effective client access

  29. Q & A QUESTIONS?

  30. Our References • Secure Wireless: Integrity of Information on the Move, http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns386/net_presentation0900aecd805febbb.pdf (Cisco) • The Business Case for Enterprise-Class Wireless LANS http://safari.oreilly.com/1587201259/gloss01lev1sec6#X2ludGVybmFsX1RvYz94bWxpZD0xNTg3MjAxMjU5L2NoMTA=

More Related