1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November...

1© 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000

Security for Next Security for Next Generation Wireless Generation Wireless

LANsLANsWNBU Technical MarketingWNBU Technical Marketing

2350 Security Update 1/2001 Cisco Company Confidential - Do not distribute

AgendaAgenda

• Recap – WEP/SSIDs/authentication

• Deployment issues with 802.11 today

• 802.1X for 802.11

• Deployment of new security feature-set

• Standards update/Pointers

• Questions ?


AgendaAgenda

Recap – WEP/SSIDs/authenticationSSIDs in 802.11

Association

Open Authentication

Shared-key Authentication

WEP/RC4 in 802.11

WEP encrypted frames


Past Security MethodsPast Security Methods

• SSID (Service Set Identifier)Commonly used feature in Wireless LANs which provides a rudimentary level of security.

Serves to logically segment the users and Access Points that form part of a Wireless subsystem.

May be advertised or manually pre-configured at the station.


RECAP - SSIDs in 802.11RECAP - SSIDs in 802.11

S S S I D f o r A P S S I D f o r A P S S I D f o r A P

S S I D f o r A P

S S I D f o r C l i e n t


SSID problemSSID problem

• 32 ASCII character string

• Under 802.11, any client with a ‘NULL’ string will associate to any AP regardless of SSID setting on AP

• This is NOT a security feature!


RECAP- Association With 802.11RECAP- Association With 802.11

Client (user machine)

Access Point

Probe requeston 11 channels; may include (broadcast) SSID

Probe responseincluding info not in spec, such as # clients, % load

AP selectionbased on strength and

quality of signal

Wired Ethernet LAN

Access Point


RECAP - Open Authentication RECAP - Open Authentication With 802.11With 802.11

ClientAP

Authentication request

Open Authentication

Authentication response

Open or Shared needs to be setup identically on both the Access Point and Client


RECAP - WEP/RC4 in 802.11RECAP - WEP/RC4 in 802.11


RECAP – WEP Encrypted FramesRECAP – WEP Encrypted Frames

IV MSDU ICV

Encrypted

0-2304 4

Initialization Vector Pad Key ID

2624

Octets

Bits


RECAP - Shared-key RECAP - Shared-key Authentication With 802.11Authentication With 802.11

Open or Shared needs to be setup identically on both the Access Point and Client

ClientAP

Authentication request

Shared-Key Authentication

Challenge text packet

Authentication response

Encrypted challenge text packet


AgendaAgenda



• 802.1X for 802.11


• Standards Update/Pointers

• Questions ?


Deployment issues with 802.11 todayDeployment issues with 802.11 today

• Lack of integrated User administration Integration with existing user administration tools required (RADIUS, LDAP-based directories)

Identification via User-Name easier to administer than MAC address identification

Usage accounting and auditing desirable

• Lack of Key management solutionStatic keys difficult to manage on clients, access points

Proprietary key management solutions require separate user databases


802.11 Security Issues802.11 Security Issues

• User loses wireless NIC, doesn’t report itWithout user authentication, Intranet now accessible by attackers

Without centralized accounting and auditing, no means to detect unusual activity

Users who don’t log on for periods of time

Users who transfer too much data, stay on too long

Multiple simultaneous logins

Logins from the “wrong” machine account

With global keys, large scale re-keying required


Comparison First-generation 802.11 Comparison First-generation 802.11 Security IssuesSecurity Issues

Vulnerability802.11 w/per

Packet IV

Addition of keyed Integrity

check3DES instead of

WEP/ RC4802.11 w/MICKerb + DES

Impersonation Vulnerable Vulnerable Vulnerable Fixed

NIC theft Vulnerable Vulnerable Vulnerable Fixed

Brute force attack (40/56 bit key) Vulnerable Vulnerable Fixed Vulnerable

Packet spoofing Vulnerable Fixed Vulnerable Fixed

Rogue Access Points Vulnerable Vulnerable Vulnerable Fixed

Disassociation spoofing Vulnerable Fixed Vulnerable Fixed

Passive monitoring Vulnerable Vulnerable Vulnerable Vulnerable

Global keying issues Vulnerable Vulnerable Vulnerable Fixed

Pre-computed dictionary attack Implementation Implementation Implementation Vulnerable

Offline dictionary attack Vulnerable Vulnerable Vulnerable Vulnerable


AgendaAgenda



• 802.1X for 802.11



• Questions ?


What Is 802.1X ?What Is 802.1X ?

• IEEE Standard in progress

• Port Based Network Access Control


General Description General Description IEEE 802.1X TerminologyIEEE 802.1X Terminology

AuthenticatorAuthenticator(e.g. Switch, (e.g. Switch,

Access Point)Access Point)

SupplicantSupplicant

Enterprise NetworkEnterprise NetworkSemi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationAuthenticationServerServer

RADIUS

EAP Over Wireless (EAPOW)

EAP Over Wireless (EAPOW)

EAP Over RADIUS

EAP Over RADIUS

PAEPAE

PAEPAE

Controlled port

Uncontrolled port

EAP Over LAN (EAPOL)

EAP Over LAN (EAPOL)


IEEE 802.1X Conversation IEEE 802.1X Conversation

EthernetLaptop computer

802.1X Authenticator/Bridge

Radius Server

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request

Radius-Access-Request

Radius-Access-Challenge

EAP-Response (cred) Radius-Access-Request

EAP-Success

Access blockedPort connect

Radius-Access-Accept

Access allowed

RADIUSEAPOL


IEEE 802.1X Over 802.11IEEE 802.1X Over 802.11

Ethernet

Access Point

Radius Server

EAPOL-Start

EAP-Request/IdentityEAP-Response/Identity

EAP-Request



EAP-Response (cred) Radius-Access-Request

EAP-Success

Access blockedAssociation


RADIUSEAPOW

Laptop computer

Wireless

802.11802.11 Associate

Access allowed

EAPOW-Key (WEP)


802.1X Packet exchange802.1X Packet exchange

Start

Authenticate

Finish


802.1X Packet Exchange 802.1X Packet Exchange Start -1 Start -1

EAPOL-Start

• Defined in IEEE 802.1X draft

• Purpose: Start the authentication process. EAP supplicant is ready for authenticator.

EAPOL-Start


EAP-Response/Identity Radius-Access-Request




• EAP-Packet defined in 802.1X draft.

• EAP-Request/Identity defined in RFC2284.

• Purpose: Start the authentication process. Authenticator asks for supplicants Identity.

EAPOL-Start





EAP-Response/Identity

• EAP-Packet defined in 802.1X draft.

• EAP-Response/Identity defined in RFC2284.

• Purpose: Supplicant delivers its Identity. AP uses this to send the Radius-Access-Request.

EAPOL-Start




802.1X Packet Exchange 802.1X Packet Exchange Authenticate Authenticate

EAP-Request

EAP-Response Radius-Access-Request


Authenticate sequence varies per authentication method



802.1X Packet Exchange 802.1X Packet Exchange Authenticate Authenticate

• Draft-ietf-radius-ext-07 describes encapsulating EAP in the radius protocol.

• Transport Level Security (TLS) described in RFC2246

• EAP-TLS described in RFC2716

EAP-Request

EAP-Response Radius-Access-Request




802.1X Packet Exchange 802.1X Packet Exchange Finish -1 Finish -1


• Contains MS-MPPE-Send-Key attribute per RFC2548.

• This WEP session key has already been delivered/derived by the supplicant in the authentication phase. It is delivered here to the AP.

EAP-Success Radius-Access-Accept

EAPOW-Key



EAP-Success

• Defined in IEEE 802.1X draft.

• Supplicant could turn WEP on (timing).


EAPOW-Key



EAPOW-Key

• Defined in IEEE 802.1X draft 5.

• Broadcast WEP key to the supplicant.EAPOW-Key gets sent without WEP since timing is not certain. The WEP broadcast keys are encrypted with the session key via software.


EAPOW-Key

Supplicant & Authenticator start using the WEP session key.


Advantages of 802.1X for 802.11Advantages of 802.1X for 802.11

• Open, extensible and standards based.Enables interoperable user identification, centralized authentication, key management.

Leverages existing standards: EAP (extensible authentication protocol), RADIUS.

Compatible with existing roaming technologies, enabling use in hotels and public places.

• User-based identification.

• Dynamic key management.

• Centralized user administration.Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting.

RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.


Advantages of 802.1X for 802.11 - Advantages of 802.1X for 802.11 - continuedcontinued

• Extensible authentication supportEAP designed to allow additional authentication methods to be deployed with no changes to the access point or client NIC

RFC 2284 includes support for password authentication (EAP-MD5), One-Time Passwords (OTP)

Windows 2000 supports smartcard authentication (RFC 2716) and Security Dynamics


AgendaAgenda



• 802.1X for 802.11

• Deployment case study with new security features

• Standards Update

• Questions ?


Cisco Security FrameworkCisco Security Framework

EAPLayer

MethodLayerTLSTLSTLS

MediaLayer

NDIS

APIs

EAP

APIs

PPPPPP 802.3802.3 802.3802.3 802.11

LEAPLEAPGSS_APIGSS_APIGSS_API

VPNVPNVPN

802.1X802.1X

Backend AAA infrastructure

CS-ACS2000 2.6, Third party EAP-Radius, Kerberos ...

Backend AAA infrastructureBackend AAA infrastructure

CS-ACS2000 2.6, Third party EAP-Radius, CS-ACS2000 2.6, Third party EAP-Radius, Kerberos Kerberos ......

IKEIKEIKE

EAPLayer

NDIS

APIs

EAP

MethodLayer

EAP

LEAP

MediaLayer

APIs

802.11


Why LEAP ?Why LEAP ?

• Cisco Lightweight EAP (LEAP) Authentication type• No native EAP support currently available on legacy

operating systems

• EAP-MD5 does not do mutual authentication

• EAP-TLS (certificates/PKI) too intense for security baseline feature-set

• Quick support on multitude of host systems

• Lightweight implementation reduces support requirements on host systems

• Need support in backend for delivery of session key to access points to speak WEP with client


Cisco LEAP deploymentCisco LEAP deployment

Ethernet

EAP Access Point

LEAPRadius ServerLaptop computer with

LEAP supplicant

Wireless

Network Logon• Win 95/98• Win NT• Win 2K• Win CE• MacOS• Linux

BackbonBackbonee

Driver for OS x• LEAP Authentication support• Dynamic WEP key support• Capable of speaking EAP

Radius • Cisco Secure ACS 2.6• Authentication database• Can use Windows user database

Radius DLL• LEAP Authentication support• MS-MPPE-Send-key support• EAP extensions for Radius

EAP Authenticator• EAP-LEAP today• EAP-TLS soon• …..

Client/SupplicantClient/Supplicant AuthenticatorAuthenticator Backend/Radius serverBackend/Radius server


LEAP Client / Supplicant Support LEAP Client / Supplicant Support

Integrated Wireless and Microsoft Network Logon


EAP Support in Access Point EAP Support in Access Point


LEAP Support in Radius Server -1 LEAP Support in Radius Server -1

Configuring the Configuring the user databaseuser database


LEAP Support in Radius Server -2 LEAP Support in Radius Server -2

Configuring the Configuring the NAS/APNAS/AP

Same shared secret as that configured for

access point

Radius (Cisco Aironet) For EAP supported

Access Point


What Does the Radius Server What Does the Radius Server Perform? Cont.Perform? Cont.

• Authentication

• Generates dynamic session key

• Sends session key to access point


What Does the AP Perform? Cont.What Does the AP Perform? Cont.

• On successful authentication,

Send broadcast WEP key to client.

Maintain clients WEP key.

Start running WEP with client.

Distribute pre-auth.


Future EAP Client Work ?Future EAP Client Work ?

• Microsoft placing 802.11 EAP Native supplicant in,

Win2K, WinCE

• What about other Microsoft OS’s?

Win9x/WinNT (need LEAP)

• What about other OS’s?

Linux, MacOS (need LEAP)


Future Backend Work ?Future Backend Work ?

• Support for Kerberos

• Promote EAP authentication types on backend servers

• Integrate with SSGs .. etc


What About Edge Devices Support What About Edge Devices Support for 802.1X Authenticator ? for 802.1X Authenticator ?

• ELoB Switches.

Catalyst 6k/5k/4k ...

• DSBU Switches.

Catalyst 29xx/35xx ...


AgendaAgenda



• 802.1X for 802.11



• Questions ?


Standards UpdateStandards Update

• 802.1X Current StatusDraft 8 : http://www.manta.ieee.org/groups/802/1/pages/802.1x.html

Scheduled for letter ballot, January 2001

• 802.11 SecurityTG e (Task Group E) Working on security and QoS extensions to the MAC 802.11 layer

TG-e Security sub-group chair : Dave Halasz (Cisco- Aironet Engineering)

Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline security document.


PointersPointers

• Whitepaper : Security for Next Generation Wireless LANs v1.1

http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.msw

• IEEE 802.1X

http://grouper.ieee.org/groups/802/1/pages/802.1x.html

• RADIUS

http://www.ietf.org/rfc/rfc2138.txt



http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt

• EAP



http://grouper.ieee.org/groups/802/1/pages/802.1x.html




http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt

http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt




AgendaAgenda

• Recap 1st-generation security for 802.11 WLANs


• 802.1X for 802.11

• Standards Update

• Questions ?

49Presentation_ID © 2000, Cisco Systems, Inc.

Date post:	23-Dec-2015
Category:	Documents
Upload:	ruth-rich
View:	216 times
Download:	0 times

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November...

Documents