Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objectives
List wireless security solutions Tell the components of the transitional security model Describe the personal security model List the components that make up the enterprise security model
WEP2
Attempted to overcome WEP limitations by adding two new security enhancements
WEP key increased to 128 bits Kerberos authentication
User issued ticket by Kerberos server Presents ticket to network for a service Used to authenticate user
Dynamic WEP
Solves weak IV problem by rotating keys frequently
More difficult to crack encrypted packet
Broadcast WEP key must be same for all users on a particular subnet and AP
Should be A
IEEE 802.11i
Provides solid wireless security model
Robust security network (RSN) Addresses both encryption and authentication
Key-caching: Stores information from a device on the network, for faster re-authentication (In the case when a user roams away and returns) Pre-authentication: Allows a device to become authenticated to an AP before moving to it (Current AP will forward authentication info to the roamed-to AP
Authentication server can use 802.1x to produce unique master key for user sessions Creates automated key hierarchy and management system
Security timeline
Wi-Fi modes
AES
802.1x
WEP Encryption
Although vulnerabilities exist, should be turned on if no other options for encryption are available
Use longest WEP key available May prevent script kiddies or casual eavesdroppers from attacking
Two sections:
WPA: Older equipment WPA2: Newer equipment
Key must be created and entered in AP and also on any wireless device (shared) prior to (pre) the devices communicating with AP
TKIP/MIC process
PSK keys automatically changed (rekeyed) and authenticated between devices after specified period of time or after set number of packets transmitted (rekey interval) Employs consistent method for creating keys
Uses shared secret entered at AP and devices
Random sequence of at least 20 characters or 24 hexadecimal digits
Like personal security model, divided into sections for WPA and WPA2 Additional security tools available to increase network protection
802.1x protocol
Each maps to different types of user logons, credentials, and databases used in authentication
block size of 128 bits Three possible key lengths: 128, 192, and 256 bits WPA2/802.11i uses128-bit key length Includes four stages that make up one round
Each round is iterated 10 times
On enterprise level, wireless gateway may combine functionality of a VPN and an authentication server
Can provide increased security for connected APs
Summary
IEEE 802.11i and Wi-Fi Protected Access (WPA), have become the foundations of todays wireless security Dynamic WEP attempts to solve the weak initialization vector (IV) problem by rotating the keys frequently, making it much more difficult to crack the encrypted packet The IEEE 802.11i standard provided a more solid wireless security model, such as the block cipher Advanced Encryption Standard (AES) and IEEE 802.1x port security
Summary (continued)
WPA is a subset of 802.11i and addresses both encryption and authentication The transitional security model uses shared key authentication, turning off SSID beaconing, and implementing MAC address filtering The personal security model is designed for single users or small office home office (SOHO) settings of generally 10 or fewer wireless devices and does not include an authentication server
Summary (continued)
The enterprise security model is intended for settings in which an authentication server is available; if an authentication server is not available the highest level of the personal security model should be used instead Additional security tools that can supplement the enterprise security model to provide even a higher degree of security include virtual private networks, wireless gateways, wireless intrusion detection systems (WIDS), and captive portals