Transcript
Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) SUNY Technology Conference June 21, 2011 Bill Kramp – FLCC Network Administrator
Copyright © 2011 William D. Kramp All Rights Reserved
What is a robust security network (RSN)? What is involved in deploying WPA2? What are the support issues with WPA2?
Wireless Security Questions
Enforce authorized access to network Protect against downgrade attacks Data protection
◦ ◦ ◦ ◦
Confidentiality Data integrity Data origin authentication Replay protection Hardjono & Dondeti (2005)
RSN (802.11i) Security Goals
Basic Wireless Terms Description of EAP and EAP-Methods 802.1x 802.11 Phases Deploying WPA2 Support issues Best practices for deployment
Agenda
WEP - Wired Encryption Protocol WPA - WiFi Protected Access WPA2 - WiFi Protected Access 2 TKIP - Temporal Key Integrity Protocol AES - Advanced Encryption Standard CCMP - Counter Mode with Cipher Block Chaining MAC Protocol EAP EAPOL EAP-Methods
Terms
Remote Authentication Dial In User Service Developed for MODEM pools back in the day.
RADIUS
Extensible Authentication Protocol (EAP) A Point to Point Protocol (PPP) RFC 2284 added authentication to PPP
EAP
Must be supported by Radius server 40+ methods available TLS MS-CHAPv2 PEAP LEAP FAST SIM 802.11i requires mutual authentication
EAP-Methods
Developed by IEEE EAP over LAN (EAPOL) Allowed EAP and Radius to be used Point-to-Point communication only Encapsulates EAP packets for 802.1
802.1x protocol
Blocks all inbound and outbound traffic until after authentication is passed Exceptions to rule:
◦ Outbound to wireless device:
Wake-on-LAN “magic” packets
◦ Inbound from wireless device:
EAPOL packet type 4 SNMP notification (Encapsulated ASF Alert)
Uses IEEE 802.1D to accomplish this
Network aspects of 802.1x
RSN Phases
Robust Security Network (802.11i) Phases: 1. Discovery 2. Authentication 3. Key Generation and Distribution 4. Protected Data Transfer 5. Connection Termination
Authentication and Association
AP Beacons AP Probe Responses Beacon and Probe Responses provide:
◦ Cipher suites: WEP TKIP CCMP (AES)
◦ Authentication mechanisms: 802.1x
Phase 1 - Discovery
STA (laptop) and AS (Authentication Server) prove identities using EAP. AP blocks network traffic (802.1x) AP forwards traffic between STA and AS Master Session Key (MSK) established MSK key used to generate subsequent keys
Phase 2: Authentication
Cryptographic keys generated Keys placed on STA and AP Frames exchanged only between AP and STA
Phase 3: Key Generation and Distribution
Frames with encapsulated traffic between STA and AP Only frame traffic encrypted Traffic forwarded between AP and wired network Wired traffic not encrypted
Phase 4: Protected Data Transfer
Secure connection torn down 802.1x port blocking enabled
Phase 5: Connection Termination
RSN Phases of Operation
Easiest:
◦ iTouch, iPad, iPhone
Moderate effort:
◦ Microsoft, especially Vista ◦ A lot of people don’t update OS
Most difficult:
◦ Apple Laptops
Impossible:
◦ Windows 95 laptops
Difficulty Deploying WPA2 Enterprise by Platform/OS
Deploying WPA2 With Machine Authentication
Wireless device must have been joined to the Windows domain over physical network first. Keys for Radius certificates installed on wireless devices.
Configuring WPA2 Step 1
SSID has been added. Select “Connect automatically when network is in range”. Click the Security tab
Configuring WPA2 Step 2
Set security type to WPA2-Enterprise Set encryption type to AES Select network authentication based on your authentication server Click “Settings” button “Remember my credentials” is dependent on policies.
Configuring WPA2 Step 3
Select “Validate server certificate” “Connect to these servers” should be checked, and the radius servers listed. Select only the Trusted Root Cert’ Authorities needed. Select “Do not prompt user to authorize new servers”. Select inner “Auth’ Method” Click “Configure” button
Configuring WPA2 Step 4
Select to use the Windows domain credentials. Click OK Then click OK for the Protected EAP Properties window.
Configuring WPA2 Step 5
Click the Advanced settings button
Configuring WPA2 Step 6
Select “Specify authentication mode” Select proper mode Click OK buttons
Configuring WPA2 Step 7
Device should first join to the domain with Machine credentials, then use the Windows domain credentials to authenticate.
WPA2 Machine Authentication
Possible causes:
◦ No DHCP address:
Out of leases DHCP forwarding failure
◦ User exceeded failed logins attempts ◦ Radius Failure: Server “spacing” out Bad radius shared key
◦ AD problem ◦ Machine Auth’ password expired
Curse of “Domain Not Found” With WPA2 Machine Authentication
Update Operating System Latest wireless drivers:
◦ Windows, Linux, OS X
Use Windows to manage wireless adapter Place wireless network at top of stack Use ”good” passwords Notify users about change in advance Make people available to help convert
Best Practices Deploying WPA2 Enterprise
Vulnerability found on the last line of page 196 for the IEEE 802.11 (2007) Standard AES not compromised Wireless device has to be authenticated Uses shared Group Temporal Key (GTK) GTK intended for use by AP only ARP spoofing for MITM could occur
WPA2 Hole 196 Vulnerability
Removing IT Staff cred’s from user laptops 1. Click Start, and then click Run. 2. In the Open box, type regedit, and then click OK. 3. Locate and then click the following registry key: HKEY_CURRENT_USER\Software\Mi crosoft\EAPOL\UserEapInfo 4. On the Edit menu, click Delete.
Clearing Cached Credentials
Beaver, K., Davis, P.T., (2005). Hacking Wireless Networks for Dummies. Wiley Publishing, Inc.: Hoboken, NJ. Hardjono, T., Dondeti, L.R. (2005). Security in Wireless LANs and MANs. Artech House, Inc: Norwood, MA.
Resources
