1 / 131

Wireless LAN Overview

Wireless LAN Overview. Wi-Fi Technology Wireless Fidelity (Wi-Fi) Channels Basic Security&Practices Vulnerabilities WAP 802.11i. Wireless LAN Overview. EAP and 802.1x 802.1x EAP Definition Process Flow EAP Types and Flow. Wi-Fi Technology. Wi-Fi.

sflagg
Télécharger la présentation

Wireless LAN Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless LAN Overview Wi-Fi Technology • Wireless Fidelity (Wi-Fi) • Channels • Basic Security&Practices • Vulnerabilities • WAP • 802.11i

  2. Wireless LAN Overview • EAP and 802.1x • 802.1x • EAP • Definition • Process Flow • EAP Types and Flow

  3. Wi-Fi Technology

  4. Wi-Fi • Wi-Fi (short for “Wireless Fidelity") is the popular term for a high-frequency wireless local area network (WLAN) • Promoted by the Wi-Fi Alliance (Formerly WECA - Wireless Ethernet Carriers Association) • Used generically when referring to any type of 802.11 network, whether 802.11a, 802.11b, 802.11g, dual-band, etc. The term is promulgated by the Wi-Fi Alliance

  5. Wi-Fi • Wi-Fi standards use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing • The 802.11b (Wi-Fi) technology operates in the 2.4 GHz range offering data speeds up to 11 megabits per second. The modulation used in 802.11 has historically been phase-shift keying (PSK). • Note, unless adequately protected, a Wi-Fi wireless LAN is easily accessible by unauthorized users

  6. Wireless LAN Topology • Wireless LAN is typically deployed as an extension of an existing wired network as shown below. 

  7. Wireless LAN Topology • Here is an example of small business usage of Wi-Fi Network. DSL Router DSLConnectionEtc. The DSL router and Wi-Fi AP are often combined into a single unit

  8. What is 802.11? • 802.11 refers to a family of specifications developed by the IEEE for wireless LAN technology. 802.11 specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. • The IEEE accepted the specification in 1997.

  9. 802.11 Family Members • There are several specifications in the 802.11 family: • 802.11 • Applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS). • 802.11a • An extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS. • 802.11b • (also referred to as 802.11 High Rate or Wi-Fi) is an extension to 802.11 that applies to wireless LANs and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet. • 802.11g • Applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.

  10. 802.11Range Comparisons

  11. 802.11 Authentication • The 802.11 standard defines several services that govern how two 802.11 devices communicate. The following events must occur before an 802.11 station can communicate with an Ethernet network through a wireless access point provides: • Turn on the wireless Client • Client listens for messages from any access points (AP) that are in range • Client finds a message from an AP that has a matching SSID • Client sends an authentication request to the AP • AP authenticates the station • Client sends an association request to the AP • AP associates with the station • Client can now communicate with the Ethernet network thru the AP

  12. What Exactly Is 802.1x? • Standard set by the IEEE 802.1 working group. • Describes a standard link layer protocol used for transporting higher-level authentication protocols. • Works between the Supplicant (Client Software) and the Authenticator (Network Device). • Maintains backend communication to an Authentication (Typically RADIUS) Server.

  13. What Does it Do? • Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. • The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. • Several EAP types are specified in the standard. • Three common forms of EAP are • EAP-MD5 – MD5 Hashed Username/Password • EAP-OTP – One-Time Passwords • EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) 802.1x Header EAP Payload

  14. What is RADIUS? • RADIUS – The Remote Authentication Dial In User Service • A protocol used to communicate between a network device and an authentication server or database. • Allows the communication of login and authentication information. i.e. Username/Password, OTP, etc. using Attribute/Value pairs (Attribute = Value) • Allows the communication of extended attribute value pairs using “Vendor Specific Attributes” (VSAs). • Can also act as a transport for EAP messages. • RFC2865, RFC2866 and others UDP Header RADIUS Header EAP Payload

  15. 802.11 Authentication Flow

  16. Wi-Fi Channels • Wireless LAN communications are based on the use of radio signals to exchange information through an association between a wireless LAN card and a nearby access point. • Each access point in an 802.11b/g network is configured to use one radio frequency (RF) channel. • Although the 802.11b/g specifications indicate that there are fourteen (14) channels that can be utilized for wireless communications, in the U.S., there are only eleven channels allowed for AP use. In addition, since there is frequency overlap among many of the channels, there must be 22 MHz separation between any two channels in use.

  17. Wi-Fi Channels • In a multi-access point installation, where overlapping channels can cause interference, dead-spots and other problems, Channels 1, 6 and 11 are generally regarded as the only safe channels to use. Since there are 5 5MHz channels between 1 and 6, and between 6 and 11, or 25MHz of total bandwidth, that leaves three MHz of buffer zone between channels. • In practice, this constraint limits the number of useable channels to three (channels 1, 6, and 11). 802.11a wireless networks have eight non-overlapping channels which provide more flexibility in terms of channel assignment.

  18. Wi-Fi Channels • For example, 802.11a - An extension to the IEEE 802.11 standard that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. • For the North American users, equipment available today operates between 5.15 and 5.35GHz. • This bandwidth supports eight separate, non-overlapping 200 MHz channels. • These channels allow users to install up to eight access points set to different channels without interference, making access point channel assignment much easier and significantly increasing the level of throughput the wireless LAN can deliver within a given area.

  19. Wi-Fi Channels • If two access points that use the same RF channel are too close, the overlap in their signals will cause interference, possibly confusing wireless cards in the overlapping area. • To avoid this potential scenario, it is important that wireless deployments be carefully designed and coordinated. • It is also critical to make sure that deployment does not cause conflicts with other pre-existing wireless implementations. Three channels on a single floor

  20. Basic 802.11 Security • SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier) • Each AP has an SSID that it uses to identify itself. Network configuration requires each wireless client to know the SSID of the AP to which it wants to connect. • SSID provides a very modest amount of control. It keeps a client from accidentally connecting to a neighboring AP only. It does not keep an attacker out.

  21. SSID • SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier) • The SSID is a token that identifies an 802.11 network. The SSID is a secret key that is set by the network administrator. Clients must know the SSID to join an 802.11 network; however, network sniffing can discover the SSID. • The fact that the SSID is a secret key instead of a public key creates a management problem for the network administrator. • Every user of the network must configure the SSID into their system. If the network administrator seeks to lock a user out of the network, the administrator must change the SSID of the network, which requires reconfiguration of every network node. Some 802.11 NICs allow you to configure several SSIDs at one time.

  22. Basic 802.11 Security • MAC filters • Some APs provide the capability for checking the MAC address of the client before allowing it to connect to the network. • Using MAC filters is considered to be very weak security because with many Wi-Fi client implementations it is possible to change the MAC address by reconfiguring the card. • An attacker could sniff a valid MAC address from the wireless network traffic .

  23. Basic 802.11 Security • Static WEP keys • Wired Equivalent Privacy (WEP) is part of the 802.11 specification. • Static WEP key operation requires keys on the client and AP that are used to encrypt data sent between them. With WEP encryption, sniffing is eliminated and session hijacking is difficult (or impossible). • Client and AP are configured with a set of 4 keys, and when decrypting each are used in turn until decryption is successful. This allows keys to be changed dynamically. • Keys are the same in all clients and AP. This means that there is a “community” key shared by everyone using the same AP. The danger is that if any one in the community is compromised, the community key, and hence the network and everyone else using it, is at risk.

  24. Authentication Type • An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of authentication: • Open System Authentication • Shared Key Authentication

  25. Authentication Type: Open System Authentication • The following steps occur when two devices use Open System Authentication: • The station sends an authentication request to the access point. • The access point authenticates the station. • The station associates with the access point and joins the network. • The process is illustrated below.

  26. Authentication Type: Shared Key Authentication • The following steps occur when two devices use Shared Key Authentication: • The station sends an authentication request to the access point. • The access point sends challenge text to the station. • The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point. • The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. • The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, then the access point and the station share the same WEP Key and the access point authenticates the station. • The station connects to the network.

  27. Authentication Type: Shared Key Authentication • If the decrypted text does not match the original challenge text (i.e., the access point and station do not share the same WEP Key), then the access point will refuse to authenticate the station and the station will be unable to communicate with either the 802.11 network or Ethernet network. • The process is illustrated in below.

  28. Overview of WEP Parameters • Before enabling WEP on an 802.11 network, you must first consider what type of encryption you require and the key size you want to use. Typically, there are three WEP Encryption options available for 802.11 products: • Do Not Use WEP: The 802.11 network does not encrypt data. For authentication purposes, the network uses Open System Authentication. • Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the wireless network uses Open System Authentication. • Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving 802.11 device decrypts the data using the same WEP Key. For authentication purposes, the 802.11 network uses Shared Key Authentication. • Note: Some 802.11 access points also support Use WEP for Authentication Only (Shared Key Authentication without data encryption).

  29. Recommended 802.11 Security Practices • Change the default password for the Admin account • SSID • Change the default • Disable Broadcast • Make it unique • If possible, Change it often • Enable MAC Address Filtering • Enable WEP 128-bit Data Encryption. Please note that this will reduce your network performance • Use the highest level of encryption possible • Use a “Shared” Key • Use multiple WEP keys • Change it regularly • Turn off DHCP • Refrain from using the default IP subnet

  30. Vulnerabilities

  31. Vulnerabilities • There are several known types of wireless attacks that must be protected against: • SSID (network name) sniffing • WEP encryption key recovery attacks • ARP poisoning (“man in the middle attacks”) • MAC address spoofing • Access Point management password and SNMP attacks • Wireless end user (station) attacks • Rogue AP attacks (AP impersonation) • DOS (denial of service) wireless attacks

  32. Diversity Antenna Attacks • If diversity antennas A and B are attached to an AP, they are setup to cover both sides of tan area independently. Alice is on the left side of the area, so the AP will choose antenna A for the sending and receiving frames. Bob is on the opposite side of the area from Alice and will therefore send and receive frames with antenna B. • Bob can take Alice off the network by changing his MAC address to be the same as Alice's. Bob can also guarantee that his signal is stronger on antenna B than Alice's signal on antenna A by using an amplifier or other enhancement mechanism. • Once Bob's signal has been detected as the stronger signal on antenna B, the AP will send and receive frames for the MAC address on antenna B. As long as Bob continues to send traffic to the AP, Alice's frames will be ignored.

  33. Malicious AP overpowering valid AP • If a client is not using WEP authentication (or an attacker has knowledge of the WEP key), then the client is vulnerable to DoS attacks from spoofed APs. • Clients can generally be configured to associate with any access point or to associate to an access point in a particular ESSID. • If a client is configured to associate to any available AP, it will select the AP with the strongest signal regardless of the ESSID. • If the client is configured to associate to a particular ESSID, it will select the AP in the ESSID with the strongest signal strength. • Either way, a malicious AP can effectively black-hole traffic from a victim by spoofing the desired AP.

  34. Man-in-the-Middle Attacks • Man-in-the-middle (MITM) attacks have two major forms: eavesdropping and manipulation. • Eavesdropping occurs when an attacker receives a data communication stream. This is not so much a direct attack as much as it is a leaking of information. An eavesdropper can record and analyze the data that he is listening to. • A manipulation attack requires the attacker to not only have the ability to receive the victim's data but then be able to retransmit the data after changing it.

  35. WEP – What? • WEP (Wired Equivalent Privacy) referring to the intent to provide a privacy service to wireless LAN users similar to that provided by the physical security inherent in a wired LAN. • WEP is the privacy protocol specified in IEEE 802.11 to provide wireless LAN users protection against casual eavesdropping.

  36. IV Key Hashing/Temporal Key WEP Encryption Today IV BASE KEY PLAINTEXT DATA RC4 XOR CIPHERTEXT DATA STREAM CIPHER

  37. WEP – How? • When WEP is active in a wireless LAN, each 802.11 packet is encrypted separately with a RC4 cipher stream generated by a 64 bit RC4 key. This key is composed of a 24 bit initialization vector (IV) and a 40 bit WEP key. • The encrypted packet is generated with a bit-wise exclusive OR (XOR) of the original packet and the RC4 stream. • The IV is chosen by the sender and should be changed so that every packet won't be encrypted with the same cipher stream. • The IV is sent in the clear with each packet. • An additional 4 byte Integrity Check Value (ICV) is computed on the original packet using the CRC-32 checksum algorithm and appended to the end. • The ICV (be careful not to confuse this with the IV) is also encrypted with the RC4 cipher stream.

  38. WEP - Weaknesses • Key Management and Key Size • Key management is not specified in the WEP standard, and therefore is one of its weaknesses, because without interoperable key management, keys will tend to be long-lived and of poor quality. • The Initialization Vector (IV) is Too Small • WEP’s IV size of 24 bits provides for 16,777,216 different RC4 cipher streams for a given WEP key, for any key size. Remember that the RC4 cipher stream is XOR-ed with the original packet to give the encrypted packet which is transmitted, and the IV is sent in the clear with each packet. • The Integrity Check Value (ICV) algorithm is not appropriate • The WEP ICV is based on CRC-32, an algorithm for detecting noise and common errors in transmission. CRC-32 is an excellent checksum for detecting errors, but an awful choice for a cryptographic hash.

  39. WEP - Weaknesses • WEP’s use of RC4 is weak • RC4 in its implementation in WEP has been found to have weak keys. Having a weak key means that there is more correlation between the key and the output than there should be for good security. Determining which packets were encrypted with weak keys is easy because the first three bytes of the key are taken from the IV that is sent unencrypted in each packet. • This weakness can be exploited by a passive attack. All the attacker needs to do is be within a hundred feet or so of the AP. • Authentication Messages can be easily forged • 802.11 defines two forms of authentication: • Open System (no authentication) and • Shared Key authentication. • These are used to authenticate the client to the access point. • The idea was that authentication would be better than no authentication because the user has to prove knowledge of the shared WEP key, in effect, authenticating himself.

  40. WPA • Wi-Fi Protected Access (WPA)is a new security guideline issued by the Wi-Fi Alliance. • The goal is to strengthen security over the current WEP standards by including mechanisms from the emerging 802.11i standard for both data encryption and network access control. • Path: WEP -> WPA -> 802.11i • WPA = TKIP(Temporal Key Integrity Protocol) + IEEE 802.1x • For encryption, WPA has TKIP, which uses the same encryption algorithm as WEP, but constructs keys in a different way. • For access control, WPA will use the IEEE 802.1x protocol.

  41. 802.11i – Future Wireless Security Standard • Task group "i" within the IEEE 802.11 is responsible for developing a new standard for WLAN security to replace the weak WEP (Wired Equivalent Privacy). • The IEEE 802.11i standard utilizes the authentication schemes of 802.1x and EAP(Extensible Authentication Protocol) in addition to a new encryption scheme – AES (Advanced Encryption Standard) and dynamic key distribution scheme - TKIP(Temporal Key Integrity Protocol). • 802.11i = TKIP + IEEE 802.1x + AES

  42. 802.11i – Future Wireless Security Standard • Temporal Key Integrity Protocol (TKIP) • The Temporal Key Integrity Protocol is part of the IEEE 802.11i encryption standard for wireless LANs. TKIP is the next generation of WEP, the Wired Equivalency Protocol, which is used to secure 802.11 wireless LANs. TKIP provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP.

  43. 802.11i – Future Wireless Security Standard • Advanced Encryption Standard (AES) • AES is the U.S. government's next-generation cryptography algorithm, which will replace DES and 3DES.

  44. EAP and 802.1x

  45. 802.1x • IEEE802.1x is the denotation of a standard that is titled “Port Based Network Access Control”, which indicates that the emphasis of the standard is to provide a control mechanism to connect physically to a LAN. • The standard does not define the authentication methods, but it does provide a framework that allows the application of this standard in combination with any chosen authentication method. • It adds to the flexibility as current and future authentication methods can be used without having to adapt the standard.

  46. 802.1x Components • The 802.1x standard recognizes the following concepts: •  Port Access Entity (PAE) • which refers to the mechanism (algorithms and protocols) associated with a LAN port (residing in either a Bridge or a Station) •  Supplicant PAE • which refers to the entity that requires authentication before getting access to the LAN (typically in the client station) • Authenticator PAE • which refers to the entity facilitating authentication of a supplicant (typically in bridge or AP) • Authentication server • which refers to the entity that provides authentication service to the Authenticators in the LAN (could be a RADIUS server)

More Related