Jan 18, 2016
Security for (Wireless) LANs
[email protected] workshop30 & 31 March 2004Amsterdam
2
Program Workshop
• Security for (W)LANs – Klaas Wierenga• 802.1X client side – Tom Rixom• Coffee• 802.1X server side – Paul Dekkers• Lunch• Hands-on
3
TOC
• Background • Threats• Requirements• Solutions for today• Solutions for tomorrow• Conclusion
4
Background
AccessProvider
POTS
Institution A
WLAN
Institution B
WLAN
AccessProvider
ADSL
International connectivity
AccessProviderWLAN
AccessProvider
GPRS
SURFnet backbone
5
Threats
• Mac-address and SSID discovery– TCPdump– Ethereal
• WEP cracking– Kismet– Airsnort
• Man-in-the-middle attacks
6
Example: Kismet+Airsnort
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
7
Requirements
• Identify users uniquely at the edge of the network– No session hijacking
• Allow for guest usage• Scalable
– Local user administration and authN!– Using existing RADIUS infrastructure
• Easy to install and use• Open
– Support for all common OSes– Vendor independent
• Secure
• After proper AuthN open connectivity
8
Solutions for today
• Open access • MAC-address• WEP
European NRENs:• Web-gateway• PPPoE• VPN-gateway• 802.1X
9
Open network
• Open ethernet connectivity, IP-address via DHCP
• No client software (DHCP ubiquitous)• No access control• Network is open (sniffing easy, every client
and server on LAN is available)
10
Open network + MAC authentication
• Same as open, but MAC-address is verified• No client software• Administrative burden of MAC address tables• MAC addresses easy spoofable• Guest usage hard (impossible)
11
WEP
• Layer 2 encryption between Client en Access Point
• Client must know (static) WEP-key• Administrative burden on WEP-key change• Some WEP-keys are easy to crack (some less
easy)• Not secure
12
Open network + web gateway
• Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept)
• Can use a RADIUS backend• Guest use easy• Browser necessary• Hard to make secure
13
Example: FUNET
Internet
Public Access Network
Public AccessController
AAAServer
WWW-browser
1.
2.
3.
4.
5.
14
Open netwerk + VPN Gateway
• Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network
• Client software needed• Proprietary (unless IPsec or PPPoE)• Hard to scale • VPN-concentrators are expensive• Guest use hard (sometimes VPN in VPN)• All traffic encrypted
15
Example: SWITCH and Uni Bremen
16
IEEE 802.1X
• True port based access solution (Layer 2) between client and AP/switch
• Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP)
• Standardised• Also encrypts all data, using dynamic keys• RADIUS back end:
– Scaleable– Re-use existing Trust relationships
• Easy integration with dynamic VLAN assignment• Client software necessary (OS-built in or third-party)• Both for wireless AND wired
17
How does 802.1X work (in combination with 802.1Q)?
data
signalling
EAPOL EAP over RADIUS
f.i. LDAP
RADIUS server
Institution A
Internet
Authenticator
(AP or switch) User DB
[email protected]_a.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
Supplicant
18
Through the protocol stack
EAPEAP
EthernetEthernet
EAPOLEAPOL RADIUS (TCP/IP)
RADIUS (TCP/IP)
80
2.1
XAuth. Server
(RADIUS server)
Authenticator
(AccessPoint,
Switch)
Supplicant
(laptop,
desktop)
EthernetEthernet
19
EAP-typesTopic EAP MD5 LEAP EAP TLS PEAP EAP TTLS
Security Solution Standards-based
Proprietary Standards-based
Standards-based
Standards-based
Certificates – Client No n/a Yes No No
Certificates – Server No n/a Yes Yes Yes
Credential Security None Weak Strong Strong Strong
Supported Authentication Databases
Requires clear-text database
Active Directory,NT Domains
Active Directory, LDAP etc.
Active Directory, NT Domain, Token Systems, SQL, LDAP etc.
Active Directory, LDAP, SQL, plain password files, Token Systems etc.
Dynamic Key Exchange
No Yes Yes Yes Yes
Mutual Authentication
No Yes Yes Yes Yes
20
Available supplicants
• Win98, ME: FUNK, Meetinghouse• Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2)• MacOS: Meetinghouse• Linux: Meetinghouse, Open1X• BSD: under development• PocketPC: Meetinghouse, MS (+SecureW2)• Palm: Meetinghouse
21
Example: SURFnet
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
22
FCCN
RADIUS Proxy servers connecting to a European level RADIUS proxy server
University of Southampton
• Participation guidelines are being drafted
• Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join.
SURFnet
FUNET
(DFN)
CARnet
Radius proxy hierarchy
23
Solutions for tomorrow
• 802.11a|b|g• 802.16 (WiMax), 802.20
• IPv6
• MobileIPv6
• WPA (pre standard 802.11i, TKIP)• 802.11i: 802.1x + TKIP+ AES
24
Conclusion
• You can make it safe• One size doesn’t fit all (yet?)• There is convergence in Europe• 802.1X is the future proof solution
• It’s all about scalability, i.e. size does matter
25
More information
• SURFnet and 802.1X– http://www.surfnet.nl/innovatie/wlan
• TERENA TF-Mobility– http://www.terena.nl/mobility
• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE/