Docstoc

Information Security - Get Now PowerPoint

Document Sample
Information Security - Get Now PowerPoint Powered By Docstoc
					Wireless Security



      Satish P
      Vice President (Embedded Software)
      Network Systems & Technologies (P) Ltd
                      SCOPE
This presentation is about security of Wireless
  Local Area Networks based on the IEE 802.11
  standard. Such networks are also referred to
  as Wi-Fi Networks, WLANs etc. The topics
  covered include
 General Overview of WLAN standards and
  technologies
 Security Issues in WLANs
 Security Solutions
 Case Study


          ISEC 2005        5 SEP 05               2
                             What is a WLAN ?
                A member of the IEEE 802 family of
                  specifications for Local Area Networks which
                  allows computers to get connected to a
WLAN Overview




                  network through wireless
                Advantages of WLANs include
                      Extended coverage and mobility
                      Low cost
                      Easy expansion of the network
                      Compatibility with existing network based
                       applications



                            ISEC 2005           5 SEP 05           3
                               WLAN Standards
                Standard         802.11    802.11a      802.11b     802.11g


                Year             1997      1999         1999        2001
WLAN Overview




                Freq             2.4 GHz   5 GHz        2.4 GHz     2.4 GHz


                Speed            2 Mbps    54 Mbps      11 Mbps     54 Mbps


                Modulation       FHSS /    OFDM /QAM    DSSS/ CCK   OFDM / CCK
                                 DPSK

                Distance         100 Mts   30 Mts       100 Mts     100 Mts




                             ISEC 2005               5 SEP 05                    4
                              WLAN Deployment
                                                 Distribution System
WLAN Overview




                Independent Basic Service Set   Infrastructure Basic Service Set




                               ISEC 2005             5 SEP 05                      5
WLAN Overview
                WLAN Deployment




                    Extended Service Set




                ISEC 2005                  5 SEP 05   6
WLAN Overview
                          WLAN Protocol Stack



                                             OFDM
                                             PHY




                PHY – Converts signals from the MAC Layer to Radio
                Signals
                MAC – Implements the CSMA / CA Mechanism
                LLC – Provides Interface to upper Layers


                            ISEC 2005               5 SEP 05         7
                                                      WLAN MAC

                 Frame Control   Duration ID   Address1     Address2      Address3    Sequence Control   Address4     Data       FCS
                                               (source)   (destination)   (rx node)                      (tx node)

                      2              2            6            6             6               2              6        0 - 2,312    4
WLAN Overview




                                      Basic WLAN MAC Frames Format


                There are 3 Types of Frames
                • Data Frames – Carry Higher Level Protocol data
                • Control Frames – Channel Acquisition , Carrier sensing,
                  Acknowledgement etc
                • Management Frames – Supervisory functions, Association,
                  Disassociation etc




                                         ISEC 2005                                5 SEP 05                                             8
                          WLAN Equipment
                • Access Points

                • Wireless Gateways
WLAN Overview




                • PCI and PCMCIA Adapters

                • USB adapters

                • Wireless Integrated Devices


                          ISEC 2005         5 SEP 05   9
                                  Major Players
                Chipset Vendors          Equipment Vendors
WLAN Overview




                                         Standards Bodies




                            ISEC 2005      5 SEP 05          10
WLAN Security Issues
                                WLAN Security Issues




                       The “Parking Lot” Attacker    The “Rouge” Access Point




                                   ISEC 2005        5 SEP 05                    11
                                  WLAN Security Solutions
                          WEP – Wired Equivalent Privacy
WLAN Security Solutions



                          • Provides two key security elements – authentication and
                            confidentiality
                          • Uses a shared key mechanism and encryption using RC4




                                      Authentication and association



                                        ISEC 2005                 5 SEP 05            12
                                    WEP Vulnerabilities
                          • No mutual authentication
WLAN Security Solutions




                          • No user authentication
                          • Small key size and weak encryption
                          • Shared keys need to changed manually
                          • Subject to “dictionary” attacks since it is not
                            practical to change the keys frequently
                          • Facility to switch off encryption can be
                            misused



                                     ISEC 2005         5 SEP 05               13
                            WPATM        (Wi-Fi Protected Access)
                          • Alternative to WEP introduced by the Wi-Fi
WLAN Security Solutions




                            Alliance in Oct 2003
                          • Replaces RC4 with more robust TKIP
                            (Temporal Key Integrity Protocol) and MIC
                            (Message Integrity check)
                          • Provides mutual authentication and user
                            authentication based on 802.1X/ EAP
                            (Extensible Authentication Protocol) or Pre
                            Shared Keys (PSK)



                                    ISEC 2005         5 SEP 05            14
                                   802.11i and WPA2TM
                          • WPA2TM was introduced by the Wi-Fi Alliance
WLAN Security Solutions



                            in Sep 2004
                          • Equivalent to the IEEE 802.11i security
                            standard ratified earlier in June 2004
                          • Uses the powerful AES (Advanced Encryption
                            Standard) for encryption.
                          • Provides mutual authentication and user
                            authentication based on 802.1X/ EAP or PSKs
                            similar to WPA


                                    ISEC 2005       5 SEP 05              15
                                    802.11i Components
                           Key hierarchy
WLAN Security Solutions



                              – Pairwise Keys: Master Keys and Transient
                                 keys
                              – Group Keys: Temporal Key for broadcasts

                           Authentication
                              – EAP/802.1X/RADIUS

                           Data Encryption
                              – CCMP
                              – TKIP (for legacy devices only)



                                    ISEC 2005           5 SEP 05           16
WLAN Security Solutions
                          802.11i Operational Phases




                             ISEC 2005   5 SEP 05      17
                               Authentication Elements
                           Something you know
WLAN Security Solutions




                             – Username / password combo

                           Something you have

                             – Smart card, token, digital certificate

                           Something you are

                             – Biometrics: Fingerprint, retina, facial
                               geometry

                                   ISEC 2005            5 SEP 05         18
WLAN Security Solutions
                          8021.X Authentication




                           ISEC 2005   5 SEP 05   19
WLAN Security Solutions
                          Authentication Sequence




                            ISEC 2005   5 SEP 05    20
                            Additional Security measures
                           SSID Stealth
                              – In this mode, the Access point does not
WLAN Security Solutions




                                reveal its identity to probe requests from
                                stations
                              – This provides a primitive level of security

                           Access Control Lists
                              – The AP maintains a list of MAC addresses
                                of trusted stations and requests from
                                other MAC addresses are ignored


                                    ISEC 2005         5 SEP 05                21
                              Implementing Secure WLANs
                          Components Required for
WLAN Security Solutions



                          Enterprise Level Deployment

                           Security Policies and Mechanisms
                           Authentication server
                           Authentication database
                           Client devices and Access Points
                            that Wi-Fi CERT
                           EAP type selection
                           Client supplicants




                                        ISEC 2005              5 SEP 05   22
                  CASE Study


Development of a New Generation
     Wireless Access Point




      ISEC 2005         5 SEP 05   23
                       General Features

              Outdoor AP for hotspots
              802.11 b/g compatibility
              LAN and WAN ports
Case Study




              Intel IXP 425 Network processor
              Linux Operating System
              Routing and Forwarding Functions

                   ISEC 2005       5 SEP 05       24
                          Advanced Features
             Virtual Access Points
              A “Virtual Access Point” is a logical entity that exists within
               a physical Access Point (AP). Multiple VAPs can be created
               on a single Physical Device
              Virtual APs allow a single provider to offer multiple
Case Study




               services, as well as enabling multiple providers to share
               the same physical infrastructure
              Each Virtual AP appears to stations to be an independent
               physical AP.
              Virtual APs emulate the operation of physical APs at the
               MAC layer.




                       ISEC 2005                  5 SEP 05                       25
                    Advanced Features – cont.
             High Level of Security
                 WEP, WPA2 and 802.11i compliance
                 RADIUS Accounting

             WDS and Roaming
                 Wireless Distribution System for replacing wired
Case Study




                  infrastructure
                 802.11f compliant roaming

             Quality of Service
                 802.11e based QoS

             Higher Speed and Extended Range
                 Super G and XR technologies

                         ISEC 2005                5 SEP 05           26
                             Architecture
                Management Layer module



Radius accounting                     IAPP module



                              Linux network Stack
wlan0vap0




                 wlan0vap1




                                             master0


                                                       slave0


                                                                slave1
                                              wlan1


                                                       wlan1


                                                                wlan1


                                                                          wlan1
                                                                         slave2
                                                          Master
Virtual




                Virtual




                                            Slave
                                            WDS




                                                           WDS
  AP




                  AP




        PhysicalDevice – wlan0                  PhysicalDevice –
                                                     wlan1




            ISEC 2005                          5 SEP 05                           27
          Concluding Remarks
 Wireless LANs offer significant advantages over
   wired ones
 Falling prices of WLAN devices are leading to
   proliferation of WLANs
 A major concern about WLAN deployment is
   security. Although earlier solutions like WEP
   had major security flaws, new standards like
   WPA2 and 802.11i provide adequate security
 Wireless networks need to be carefully planned
   and implemented to achieve the level of
   security appropriate for the usage scenario.

           ISEC 2005           5 SEP 05             28
                         References
Books
• Wireless Security: Models, Threats Solutions
   – Nichols and Lekkas
• 802.11 Wireless Networks – The definitive guide
   – Mathew S Gost
Papers
• Wireless LAN security performance
   – University of Canterbury New Zealand
• 802.11 Overview
   – Nancy Winget (Cisco), Tim Moore (Microsoft), Dorothy
     Stanley(Agere) and Jesse Walker(Intel)
• Wireless LAN Security
   – Herve Shauer Consultants

             ISEC 2005              5 SEP 05                29
ISEC 2005   5 SEP 05   30