Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...

Post on 31-Mar-2015

221 views 3 download



EmoryNetwork Communications

Wireless SecurityIn an Education


Stan Brooks CWNA, CWSPEmory University

Network Communications Divisionstan.brooks@emory.eduAIM-Y!-MSN: WLANstan

Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate

otherwise or to republish requires written permission from the author.

EmoryEmoryNetwork CommunicationsNetwork Communications


What this presentation will not cover Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols

Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security

Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing

At Wi-Fi Hotspots and at Home

EmoryEmoryNetwork CommunicationsNetwork Communications

Why Do We Need Security on WLANs?

Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared

Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle

(MitM) Attacks Last 100 feet is the worst of all

Much less secure than even wired Internet access

There is good news – Wireless CAN be more secure than the wired network (if implemented properly)

Internal Network

“Real” Access Point

“Real” Wireless User

Evil Twin/MitMAccess Point

Rogue Access Point

Sniff the Air (Eavesdrop)

Unauthorized AccessU



d A


AP Impersonation



EmoryEmoryNetwork CommunicationsNetwork Communications

Wireless Security – What do we Protect?

There 3 areas that need protection:1) Protect data as it travels from

source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS)

2) Protect the network from unauthorized/compromised users

Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.)

3) Protect the client from unauthorized access

MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares


Wireless User

Access Point

EmoryEmoryNetwork CommunicationsNetwork Communications


Security is a PROCESSPROCESS Apply Security in Layers There is NO single security silver bullet Different data require different levels of security

A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records

Different users need different levels of access Student vs. Faculty vs. Guest Users

A Business Risk Assessment helps to define requirements

EmoryEmoryNetwork CommunicationsNetwork Communications

Security Policy

Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a

previous slide Role-based Access Control

All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest

All data are NOT created equal Term papers vs. grade reports vs. medical records

Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OS’s Access methods

EmoryEmoryNetwork CommunicationsNetwork Communications


Originated with dial-up Internet and VPN access RADIUS = Remote Dial-In User Service

Authentication (Username/Password) Who are you?

Authorization (Are you a valid user/subscriber) Are you allowed to log on the network?

Access Control (Added for RBAC & Wireless) Where can you go once you are on the network?

(Accounting) – Originally the 3rd “A” Logs

Billing Tracking usage For when the RIAA or MPAA comes around

EmoryEmoryNetwork CommunicationsNetwork Communications

Authentication in a Wireless Environment

Types of Wireless Security Models Open System Shared Key for Encryption & Authentication

Static Key (WEP, WPA / WPA2-PSK)

Dynamic Key (Dynamic WEP, WPA / WPA2-Enterprise)

Authentication Models Open System VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access

Captive Portal, Walled Garden, Other

EmoryEmoryNetwork CommunicationsNetwork Communications

Wi-Fi Security Evolution


Encryption WEPDynamic WEP


SSID Captive Portal 802.1x 802.11i

Easily hacked by children, no real security,

just a no-trespassing sign

Requires a Webserver and may compromise

username/pw.Data encryption at the

expense of authentication and may requires client software


Requires a RADIUS Server.Dynamic WEP is fairly secure,

TKIP is much better, addressing all known issues


(also called WPA2)Combines 802.1x

Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption

EmoryEmoryNetwork CommunicationsNetwork Communications

WEP / WPA / WPA2 Basics

WEP WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise

Encryption RC4 w/WEP

24-bit IV

40/104-bit Key


48-bit IV

128-bit Key


48-bit IV

128-bit Key



128bit Key



128bit Key

Integrity CRC Michael

64-bit Key


64-bit Key


128-bit Key


128-bit Key

Authentication Optional Shared Key


Pre-Shared Key


Various EAP-Types


Pre-Shared Key




Ad-Hoc Support Yes No No Yes No

Standard Part of 802.11b


Snapshot of 802.11i

As of 10/2002

Snapshot of 802.11i

As of 10/2002

Specified in 802.11i

Ratified 06/2004

Specified in 802.11i

Ratified 06/2004

EmoryEmoryNetwork CommunicationsNetwork Communications

WPA / WPA2 Enterprise (8021.x) Elements

Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller)

Passes authentication transaction between the Supplicant and the Authentication Server

AuthenticationServer (RADIUS)

Authenticator(Access Point)



EmoryEmoryNetwork CommunicationsNetwork Communications

WPA / WPA2-Enterprise EAP-Types

Source Client Server Auth Client Auth Vulnerability Level

Vulnerability Examples

EAP-MD5 Open – NOT Wi-Fi Certified

Aegis, Odyssey Shared Key Challenge - NO KEY DERIVATION

None Extremely High Offline Dictionary Attacks

LEAP Cisco Proprietary, NOT Wi-Fi Certified

Cisco (CCX), Aegis, Odyssey

Password Hash Password Hash High ASLEAP – Identity Exposure & Offline Dictionary PW Attacks

EAP-FAST Cisco Proprietary, NOT Wi-Fi Certified

Odyssey PAC (Shared Key) MSCHAPv2 Medium PAC Exposure

TLS Open, Wi-Fi Certified Aegis, Odyssey Certificate (PKI) Certificate (PKI) Low Lost or Stolen Devices


Open, Wi-Fi Certified Aegis, Odyssey, T-Mobile Conn Mgr (PCTEL)

Certificate PAP, CHAP, MSCHAPv2, GTC

Medium Possible Identity Exposure, MitM Risks


Microsoft – Wi-Fi Certified

Microsoft WZC, Apple, Aegis, Odyssey

Certificate EAP-TLS (SmartCard), MSCHAPv2

Medium Possible Identity Exposure, MitM Risks


Cisco – Wi-Fi Certified Cisco, Aegis, Odyssey

Certificate EAP-GTC (Generic Token Card)

Medium Possible Identity Exposure, MitM Risks

EAP-SIM GSM Wireless Carriers – Wi-Fi Certified

Odyssey SmartCard SmartCard Medium GSM/GPRS Attacks

Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks

EmoryEmoryNetwork CommunicationsNetwork Communications

Choosing the Right EAP-type

What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level?

What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base

Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights

EmoryEmoryNetwork CommunicationsNetwork Communications

Wireless Clients

PCs Microsoft Windows XP WZC Wireless chip manufacturers’ clients

Atheros Intel Broadcom Prism

Open Source SecureW2 wEAP

Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients

Microsoft PPTP, IPSec

Checkpoint Others

MACs Linux

wpa_supplicant Xsupplicant

PDAs Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis

Wi-Fi & Dual Mode Phones Other Devices

Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit

EmoryEmoryNetwork CommunicationsNetwork Communications

Implementing a Secure Wireless Infrastructure

Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like

Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture

with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers

I’m an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot

EmoryEmoryNetwork CommunicationsNetwork Communications

Aruba WLAN Switch/Controller-based Implementation

The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller

The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and

passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the

Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the

wired network

Authenticated UserSSID: EmoryUnplugged

Emory’s Internal Network

Aruba WLAN Switch/Controllerw/ Built in Firewall and Per User Access Control

InternetGuest UserSSID: EmoryGuest

“Thin” Access Point

EmoryEmoryNetwork CommunicationsNetwork Communications

Migrating to “New” Security Models

Some History Emory originally settled on an Open System/VPN

authentication/access Model in 2004 As we grew, VPN was OK, but not great

The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring

2006 Directive for completion by January 1, 2007

EmoryEmoryNetwork CommunicationsNetwork Communications

Changing Security Models

Least impact on clients Clients DO have to change

Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over

Emory used Winter Break ‘06 as the cut-over

Run both models for the transition period Market, market, market the change and why it’s


EmoryEmoryNetwork CommunicationsNetwork Communications

Poster Example

EmoryEmoryNetwork CommunicationsNetwork Communications

Poster/Ad Example

EmoryEmoryNetwork CommunicationsNetwork Communications

Emory’s Transition Timeline

Fall 2005 – Started piloting new model Developed configuration handouts and tools

January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May)

Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – Email blast informing students of impending change in Fall

2006 Fall Semester 2006 (Sept-Dec)

Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students

Held additional configuration clinics in high use areas Mid & Late Semester – Email blasts to know users of old security model informing

them of model “sunset” Winter Break 2006 – Removed old security model access globally Result: No logged complaints

EmoryEmoryNetwork CommunicationsNetwork Communications

VPN Usage GraphOct 2005 to Feb 2007

Thanksgiving 2005

Winter Break 2005

Spring Break 2006

Summer Break 2006

Move-in Weekend 2006

Thanksgiving 2006

Winter Break 2006

EmoryEmoryNetwork CommunicationsNetwork Communications

Wireless Security – Protecting Yourself

There 3 main areas to address:

1) Protect data as it travels from source to destination

2) Protect the client from unauthorized access

3) Protect the network from unauthorized/compromised users


“Real” Wireless User

“Real” Access Point

EmoryEmoryNetwork CommunicationsNetwork Communications

Safe HotSpot Wireless Computing

Assume the network connection is HOSTILE - practice safe computing!

Enable/use Personal Firewalls Properly configured for “Internet” or untrusted connection

Configure your Wireless Client Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On

Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)

Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs

Your organization’s VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as

Hotspotvpn.com Publicvpn.com JiWire.com SpotLock

Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe!

EmoryEmoryNetwork CommunicationsNetwork Communications

Safe SOHO Wireless Computing

On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)

On your router: Please. Please, Please - Change your router’s default configuration


Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference

Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has

upper/lower case, numbers, and punctuation. Example: “Emory\University/Rox*My<2>smallW0RLD!!!Yeah!” WPA-PSK can be subject to dictionary attacks, so misspelled words,

added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember

EmoryEmoryNetwork CommunicationsNetwork Communications


Why we need security for wireless networks Different security models

Strengths & weaknesses Implementation

Migrating to a New Security Model Basic wireless security methods for home and


EmoryEmoryNetwork CommunicationsNetwork Communications

?Questions& Discussion

Wireless SecurityIn an Education Environment

Presentation Evaluation URL: http://resnetsymposium.org/resnet2007/

EmoryEmoryNetwork CommunicationsNetwork Communications

Bibliography & Resources

CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs

Books Real 802.11 Security, Wi-Foo, CWNA/CWSP/CWAP Study

Guides, Hacking Wireless Networks for Dummies Websites

cwnp.com, wi-fiplanet.com and others (hit the forums for good information)

Manufacturers Cisco, Aruba, Meru, Trapeze