Wireless Security Strategy

Pros & Cons of Wireless Security

MAC TKIP Non- WEP
Standard
Media Access Temporal Key “Key-hopping” 64 and 128-bit
Pros Control Integrity encryption
Easy to Protocol Change Easy to
configure Access encryption keys configure
Points to permit “Interim every few Built into 802.11
only particular Standard” seconds. Hard to cards.
MAC addresses extract different
keys

MAC addresses No intensive Effective Easy to break

Cons easy to fake testing done on Solutions but no keys
this “Standard” standards Keys are widely
Source: known
Network World No end-system
5/20/02 and user
authentication
Sources of *WEP Information
■ www.nwfusion.com DocFinder 2040
■ www.ieeeusa.org
■ www.encryption.com/rsalabs/faq/3-6-3.htm
l
■ www.isaac.cs.berkeley.edu/isaac/wep-
faq.html WEP - hacking testing results
■ www.iss.net/wireless Wireless Security test
■ N.I.S.T. “New” Special Publication 800-48
■ * WEP - Wireless Equivalent Privacy 40 bit
Pros & Cons of Wireless Security
Browser IPSec 802.1X
Greatest Uses Digital Best Match of
Pros compatibility Certificates and two- Security and
with wireless factor Wireless
devices. Ease of authentication. * U. of
use Existing VPN Maryland
support. found flaws in
client-side
No Embedded IPSec software Requires
Cons device support. complex to set-up Windows - XP
No encryption and support. support
Source: Easy to Spoof Reduces LAN EAP RADIUS
Network World speeds. Supports server required
9/9/02 only IP networks AES will
require
hardware
Tried &True Methods for
Securing wired LAN’s
■ Authentication Types ■ Layer 3 Solutions
■ Radius ■ PPTP*
■ Kerberos ■ L2TP*
■ LDAP ■ IPSec VPN’s

■ * bundled as part of
Windows
Six-Steps for Wireless Security
■ Enable 128-bit session ■ Require use of VPN to
encryption access critical
■ Configure RADIUS resources
server authentication ■ Restrict LAN access
■ Force 30-minute rights by role
periodic authentication ■ Implement two-factor
for all users authentication scheme
■ * Source using access tokens
Computerworld
Equipment Manufacturer’s Fault
■ All 802.11b equipment shipped with
WEP security options “turned off” for
ease of installation
■ 80 bit key was used for ease of export
■ Hardware assist required for ease of
encryption but adds cost and design time
■ AES and 128 bit keys to WEP helps
■ Add IPSec hardware to 802.11 products
 General Description
IEEE 802.1X Terminology
Semi-Public Network / Enterprise Network
Enterprise Edge R
A
D
I
DIUS U
rRA
Ove S
EAP
) Authentication
A POL ) Server
W
LAN (E EAPO PAE
r s (
P Ove ireles
E A er W Authenticator
O v
EAP (e.g. Switch,
Access Point)
PAE
Uncontrolled Port
Supplicant

Controlled Port
IEEE 802.1X Over 802.11
Wireless
Access Radius
Point Server
Laptop Ethernet
Computer Association
Access Blocked
802.11 Associate 802.11 Radius
EAPOL-Start EAPOW
EAP-Request/Identity

EAP-Response/Identity Radius-Access-Request

Radius-Access-Challenge
EAP-Request

EAP-Response (Cred) Radius-Access-Request

EAP-Success Radius-Access-Accept

EAPOW-Key (WEP)

Access Allowed
Introductions to MS-CHAPS
■ Challenge Handshake
■ Authentication Protocol
■ Challenge Handshake

■ Authentication depends on a
secret known only to authenticator and
client
Challenge Message

■ Radius server sends challenge to client via access point

■ This challenge packet will vary for each authentication attempt
■ The challenge is pulled from information contained a table of
known secrets
■ New challenge can be sent at intervals based on Radius server
settings, or upon client roaming
Calculated HASH

Start
■ Client responds with a calculated value
using a “one way hash” function
■ This value is derived from a known
secrets list
Authentication Granted/Denied

■ Radius server checks response against

it own calculated hash
■ If it matches, then authentication is
acknowledged to AP and client
■ If authentication is not achieved,
the AP will not permit any traffic for
that client to pass
WEP Keys
■ WEP key is calculated by the Radius server, only
after the authentication is completed
■ The key is passed to Access Point for THAT
single authenticated client.
This is a session key
■ Client calculates the same WEP key
■ Key is never transmitted over RF
How Often Does the Key Change
■ Every time a client roams to a new AP,
it will go through the same authentication and
Session WEP key exercise
■ The Radius server will also require a new
Authentication/key at a timed interval
(programmable)
■ This provides different WEP keys often, and
totally unique keys to each client
Advantages of 802.1X for 802.11
■ Open, extensible and standards based
– Enables interoperable user identification, centralized authentication,
key management
– Leverages existing standards: EAP (extensible authentication protocol),
Radius
– Compatible with existing roaming technologies,
enabling use in hotels and public places
■ User-based identification
■ Dynamic key management
■ Centralized user administration
– Support for Radius (RFC 2138, 2139) enables centralized
authentication, authorization and accounting
Why LEAP ?
■ Cisco Lightweight EAP (LEAP) Authentication type

– No native EAP support currently available on legacy operating

systems
– EAP-MD5 does not do mutual authentication
– EAP-TLS (certificates/PKI) too intense for security baseline feature-
set
– Quick support on multitude of host systems
– Lightweight implementation reduces support requirements
on host systems
– Need support in backend for delivery of session key to access points to
speak WEP with client
 Cisco LEAP Deployment
Wireless
EAP LEAP
Access Point Radius
Server
Laptop Computer Ethernet Backbone
with LEAP Supplicant

Network Logon Radius

• Win 95/98 • Cisco Secure ACS 2.6
• Win NT • Authentication database
• Win 2K
• Can use Windows user database
• Win CE
• MacOS
• Linux

Driver for OS x EAP Authenticator Radius DLL

• LEAP Authentication support
• Dynamic WEP key support
• Capable of speaking EAP
• EAP-LEAP today • LEAP Authentication support
• MS-MPPE-Send-key support
• EAP-TLS soon
• EAP extensions for Radius
• …

Client/Supplicant Authenticator Backend/Radius server

What Does the Radius
Server Perform?
■ Authentication
■ Generates dynamic session key
■ Sends session key to access point
What Does the AP Perform?
■ On successful authentication
– Send broadcast WEP key to client
– Maintain clients WEP key
– Start running WEP with client
– Distribute pre-auth
Future EAP Client Work?
■ Microsoft placing 802.11 EAP Native supplicant
in,
– Win2K, WinCE
■ What about other Microsoft OS’s?
– Win9x/WinNT (need LEAP)
■ What about other OS’s?
– Linux, MacOS (need LEAP)
Standards Update
■ 802.1X current status
– Draft 8: http://www.manta.IEEE.org/groups/802/1/pages/802.1x.html
– Scheduled for letter ballot, January 2001
■ 802.11 security
– TG e (Task Group E) working on security and QoS extensions to the
MAC 802.11 layer
– TG-e Security sub-group chair: Dave Halasz (Cisco-Aironet
Engineering)
– Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline
security document
Presenters Contact Information
■ Philip Ardire - Western DataCom
■ phil@western-data.com
■ 440-8.35-1510

■ Brian Casto - ICI Networks

■ bcasto@adelphia.net
■ 330-256-7770