Lesson 14 SAFE Wireless LAN Security in Depth © 2005 Cisco Systems, Inc. All rights reserved. CSI v

Wireless LAN Security Concepts © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Need for Wireless Standard based WLANs provide mobility to network users while maintaining the requisite connectivity to corporate resources.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Types of Wireless Technology Functional view: Peer-to-peer WLANs Multiple-cell WLANs Building-to-building wireless networks Technology view: HiperLAN HomeRF SWAP Bluetooth

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Wireless Technology Wi-Fi Alliance provides a branding for based technology. Standard based wireless technologies take advantage of the radio spectrum that is deemed usable for the public. The standard specifically takes advantage of two frequency bands: –2.4-to GHz UHF band used for and b networks –5.15-to GHz SHF band used for a-based networks

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WLAN Radio Frequency Methods The standard specifies two different types of Layer 1 physical interfaces for radio-based devices: Frequency Power Time Power 2.4 GHz to GHz Direct Sequencing Frequency-Hopping Frequency2.4 GHz to GHz Time Channel Not in Use

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Wireless Security As standardized by the IEEE, security for networks can be simplified into two main components: Frame encryption Authentication Tunnel Client Access Point RADIUS Server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WLAN Components The following are WLAN components: Access Point Bridge Antenna Network Interface Card (Client Adapter)

SAFE Wireless LAN Caveats and Design Considerations (Axioms) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Several WLAN technologies are not covered. SAFE guidelines do not guarantee a secure environment. A security policy is in place. SAFE WLAN Caveats SAFE WLAN is based on the following caveats:

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE WLAN Design Considerations (Axioms) SAFE WLAN is based on the following design considerations: Wireless networks are targets. Wireless networks are weapons.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE WLAN Design Considerations (Axioms) (Cont.) Traditional WLAN security elements are: –Authentication –Key management –WEP is insecure

Wireless LAN Security Extensions © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WLAN Networks Are Targets: Security Extensions Are Required The IEEE task group is standardizing the following technologies for WLAN authentication and encryption improvements: IPSec802.1x EAP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAP Authentication Process Wireless Computer with EAP Supplicant Wireless Computer with EAP Supplicant Access Point with EAP/802.1X Support Access Point with EAP/802.1X Support Access Switch Access switch RADIUS Server To User Database RADIUS Server with EAP Support and Dynamic WEP Key Generation 1 Client associates with access point 2 Access point blocks all user requests to access LAN 8 Access point delivers broadcast WEP key encrypted with unicast WEP key to client 7 RADIUS server delivers unicast WEP key to access point 6 RADIUS server and client derive unicast WEP key 5 User authenticates RADIUS server 4 RADIUS server authenticates user 3 User provides login authentication credentials 9 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission Campus Network To User Database

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAP Benefits EAP provides three significant benefits over basic security: Mutual authentication scheme Centralized management and distribution of encryption keys Centralized policy control

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAPs Current EAP types include: Cisco LEAP EAP-TLS PEAP EAP-TTLS EAP-SIM

© 2005 Cisco Systems, Inc. All rights reserved. CSI v LEAP Authentication Process Wireless Computer with LEAP Supplicant Wireless Computer with LEAP Supplicant Access Point with Cisco LEAP Support Access Point with Cisco LEAP Support Access Switch RADIUS Server RADIUS Server with LEAP Support and Dynamic WEP Key Generation 1 Client associates with access point 2 Access point blocks all user requests to access LAN 8 Access point delivers broadcast WEP key encrypted with unicast WEP key to client 7 RADIUS server delivers unicast WEP key to access point 6 RADIUS server and client derive unicast WEP key 5 User authenticates RADIUS server 4 RADIUS server authenticates user 3 User provides login authentication credentials 9 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission To User Database Campus Network To User Database

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAP-TLS Authentication Process Wireless Computer with EAP-TLS Supplicant Wireless Computer with EAP-TLS Supplicant Access Point with EAP/802.1X Support Access Point with EAP/802.1X Support Access Switch RADIUS Server RADIUS Server with EAP-TLS Support and Dynamic WEP Key Generation 1 Client associates with access point 2 Access point blocks all user requests to Access LAN 7 Access point delivers broadcast WEP key encrypted with unicast WEP key to client 6 RADIUS server delivers unicast WEP key to access point 5 RADIUS server and client derive unicast WEP key 4 RADIUS server authenticates user (via digital certificate) 3 User authenticates RADIUS server (via digital certificate) 8 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission To User Database Campus Network To User Database

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Wireless Computer with PEAP Supplicant Wireless Computer with PEAP Supplicant Access Point with PEAP Support Access Point with PEAP Support Access Switch RADIUS Server RADIUS Server with PEAP Support and Dynamic WEP Key Generation 1 Client associates with access point 2 Access point blocks all user requests to access LAN 7 Access point delivers broadcast WEP key encrypted with unicast WEP key to client 6 RADIUS server delivers unicast WEP key to access point 5 RADIUS server and client derive unicast WEP key 4 RADIUS server authenticates user (Example: OTP authentication) 3 Client verifies RADIUS servers digital certificate 8 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission To User Database Campus Network To User Database PEAP Authentication Process

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WEP Enhancements IEEE i includes two encryption enhancements in its draft standard for security: TKIP: A set of software enhancements to RC4-based WEP AES: A stronger alternative to RC4

Cisco Wireless LAN Product Portfolio © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Aironet WLAN Product Line Wireless LAN Aironet access points Cisco Aironet 1300 Series Cisco Aironet 1230AG Series Cisco Aironet 1200 Series Cisco Aironet 1130AG Series Cisco Aironet 1100 Series Cisco Aironet 350 Series Aironet wireless and workgroup bridges Cisco Aironet 1400 Series Cisco Aironet 1300 Series Cisco Aironet 350 Series Cisco Aironet antennas and accessories Cisco Aironet Wireless LAN Client Adapters

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Aironet WLAN Product Line (Cont.) Wireless network management Cisco Mobile Wireless Center Cisco Mobile Wireless Fault Mediator CiscoWorks for Mobile Wireless CiscoWorks Wireless LAN Solution Engine Wireless security servers Cisco Secure Access Control Server for Unix Cisco Secure Access Control Server for Windows Cisco Secure Access Control Server Solution Engine

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Aironet WLAN Product Line (Cont.) Wireless integrated switches and routers Cisco 3200 Series wireless and mobile routers Cisco Catalyst 6500 Series switches Wireless IP telephony Cisco 7900 Series IP phones Cisco 3200 Series Wireless and Mobile Router Cisco Catalyst 6500 Series Switches Cisco 7900 Series IP Phones

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Air/RF Management L2 mobility L3 mobility (future) Cisco IOS Software CiscoWorks Management Clients Secure Mobility Rogue AP/network detection assisted site surveys performance optimization Management Products Wireless Access Points AP1200AP1100 Cisco Secure ACS, CiscoWorks LMS and WLSE Cisco and Cisco-Compatible Clients Switches and Routers SWAN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cost-effective and scalable Improved productivity and accuracy Improved security and availability Cisco Compatible Program for WLAN Client Devices

Wireless LAN Design Approach © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v WLAN Network Design Fundamentals The two main WLAN network design choices are as follows: Implementing a dynamic WEP keying model using 802.1x EAP and TKIP Implementing an overlay VPN network using IPSec

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Point Security Standard WLAN Design Guidelines All designs include the following WLAN security principles: Client Security

Standard Wireless LAN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Key devices are: Wireless client adapter and software Wireless access point Layer 2 or Layer 3 switch RADIUS server DHCP server OTP server (optional) PKI server (optional) Standard EAP WLAN Design: Key Devices DHCP/RADIUS/ OTP/PKI Servers Access Point with EAP and TKIP Wireless Computer with EAP and TKIP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Attack Mitigation Roles for Standard EAP WLAN Design: Threats Mitigated DHCP/RADIUS/ OTP/PKI Servers Access Point with EAP and TKIP Wireless Computer with EAP and TKIP EAP authentication Dynamic WEP key generation EAP authentication TKIP (WEP enhancements) Inter Subnet filtering RFC 2827 filtering Virus scanning EAP authentication TKIP (WEP enhancements) Dynamic WEP key generation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAP with TKIP Design Guidelines Give special consideration to the location of the RADIUS and DHCP servers to guarantee high availability. Rekeying for both unicast and broadcast keys is recommended. Follow EAP-specific design guidelines.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Key devices are: Wireless client adapter and software Remote-access VPN client with personal firewall software Wireless access point Layer 2 switch Layer 3 switch RADIUS server DHCP server OTP server VPN gateway Attack Mitigation Roles for Standard VPN WLAN Design: Key Devices DHCP/RADIUS/ OTP/PKI Servers Access Point with Management Interface Wireless Computer with VPN Client VPN Concentrator

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Attack Mitigation Roles for Standard VPN WLAN Design: Threats Mitigated DHCP/RADIUS/ OTP/PKI Servers Access Point with Management Interface Wireless Computer with VPN Client Remote users authentication IPSec termination DHCP relay Packet filtering Inter-subnet filtering RFC 2827 filtering VPN Concentrator Two-factor authentication Possible packet filtering (device-dependent) Remote VPN gateway authentication IPSec termination Personal firewall for local attack mitigation VPN client auto-initiation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Standard VPN WLAN Design Guidelines Use VPN gateway to perform authentication. Separate WLAN and wired traffic. Prevent network access if RADIUS or DHCP service fails. Implement protocol and port filtering. Secure DNS and DHCP servers. Implement VACLs and control ICMP. Use auto-initiate feature of the VPN client. Implement personal firewall and disable split tunneling. Alternatives include: –Implementing static WEP keys –Using a layer of 802.1x EAP with the IPSec-based VPN –Using dedicated hosts for the VPN, WLAN, DHCP, and DNS

Enterprise Wireless LAN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network: EAP with TKIP Option Wireless Computer with EAP and TKIP Wireless Computer with EAP and TKIP Building Module Building Distribution Module Core Module Server Module RADIUS/OTP/PKI Servers DHCP/AP Management Servers Edge Distribution Module To E-Commerce Module To Corporate Internet Module To VPN and Remote Access Module To WAN Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network EAP with TKIP Option: Design Guidelines Design guidelines include: –LEAP and VPN as viable options –Availability and scalability of servers –Server load balancing Network management guidelines include: –Creating management VLAN –Using the access point to provide central authentication –Using secure management transport protocol Alternatives include: –Implementing user differentiation –Creating a guest VLAN –Implementing packet filters

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Network: IPSec VPN Option Wireless Computer with VPN Client Building Module Building Distribution Module Core Module Server Module RADIUS/OTP Servers DHCP/AP Management Servers Edge Distribution Module To E-Commerce Module To Corporate Internet Module To VPN and Remote Access Module To WAN Module VPN Concentrator Cluster Wireless Computer with VPN Client

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise IPSec VPN Option: Design Guidelines Design guidelines include: –Balance the necessary cost-security trade-offs. –Consider client traffic to be insecure before the IPSec tunnel is established. –Use the auto-initiate feature of the VPN client. –Filter with ACLs. –Create redundant servers and VPN gateways for high availability and scalability. Alternatives include: –Implement NIDS and firewalls. –Physically separate WLAN access. –Create multiple SSIDs and VLANs.

Medium Wireless LAN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network: EAP with TKIP Option DHCP/RADIUS/OTP/PKI/AP Management Servers To WAN Module To Corporate Internet Module Management Servers Corporate Users Wireless Computer with EAP and TKIP Access Point with EAP and TKIP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network EAP with TKIP Option: Design Guidelines General guidelines include: –Both EAP and VPN are viable security options. –Prevent network access if RADIUS service fails. Network management guidelines include: –Create management VLAN. –Configure access point to provide central AAA. –Use SSH Protocol. Alternatives include: –RADIUS and DHCP server redundancy. –Option to implement local RADIUS and DHCP servers. –User differentiation.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network: IPSec VPN Option DHCP/RADIUS/OTP/PKI/AP Management Servers To WAN Module To Corporate Internet Module Management Servers Corporate Users Wireless Computer with VPN Client Access Point VPN Concentrator

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium Network VPN WLAN Design: Alternative DHCP/RADIUS/OTP/PKI/AP Management Servers To WAN Module To Corporate Internet Module Management Servers Corporate Users Wireless Computer with VPN Client Access Point VPN Concentrator

Small Wireless LAN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network EAP WLAN Design To corporate Internet Module Corporate Servers Corporate Users Wireless Computer with EAP and TKIP Access Point with EAP and TKIP DHCP/RADIUS/OTP/PKI Management Servers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small WLAN Network: Design Guidelines Guideline includes: –Single IP subnet Network guideline includes: –Implementing EAP with DHCP and RADIUS authentication Alternative: –Using static WEP keys, but not recommended

Remote Wireless LAN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote WLAN Design Two primary types of remote VPN connectivity defined by SAFE are: Software-based VPNs Hardware-based VPNs

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Software VPN Remote Network WLAN Design Access Point VPN Software Client with Personal Firewall Broadband Access Device Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Hardware VPN Remote Network WLAN Design Access Point with EAP and TKIP Wireless Computer with EAP and TKIP VPN Concentrator Broadband Access Device Internet

SAFE WLAN Implementation © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Point: Setup Menu Options

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Point: Express Setup Menu

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Point: Security Setup

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Point: WEP Setup

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuring ACU Aironet Client Utility Profile Manager Profile Manager

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuring the Client for WEP Network security WEP key information Use static WEP keys

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuring the Client for WEP (Cont.) Client Access Point Keys Must Match!

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enabling Authentication on Access Point Authentication server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Defining an Authenticator EAP and LEAP authentication MAC authentication

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enabling LEAP on the Client LEAP Configure

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enabling LEAP on the Client (Cont.) LEAP username and password parameters

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco ACS: Main Screen Network configuration

© 2005 Cisco Systems, Inc. All rights reserved. CSI v User Setup in ACS User information

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Configuration in ACS Network configuration

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Configuration in ACS (Cont.) Network access server hostname and IP address Authentication protocol

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Session Policy Setup in ACS Network configuration Edit settings

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Session Policy Setup in ACS (Cont.) Session timeout

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary IEEE is the standard that is used by wireless technologies. Security for IEEE networks can be simplified into two main components: –Encryption –Authentication There are four WLAN components. There are security extensions for SAFE WLAN. There are two main network WLAN design choices: –Implementing a dynamic WEP keying model using 802.1x EAP and TKIP –Implementing an overlay VPN network using IPSec

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) There are numerous design considerations for small, medium, enterprise, and remote-user WLANs. The mitigation roles identified for each threat are integral to a successful WLAN implementation. The design process is often a series of trade-offs. Some of these trade-offs are made at the module level, whereas others are made at the component level.

Lab Visual Objective © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Lab 1 Visual Objective 10.0.P.0 /24 Pod P (1–10) pP pub cP Corporate server/ACS 10.0.P.10 priv.5.2 e P.0/24.1 e4.1 e1 RTS 10.0.P.11 Wireless computer 10.0.P.21

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Labs 2 and 3 Visual Objective 10.0.P.0 /24 Pod P (1–10) pP pub cP Corporate server/ACS 10.0.P.10 priv.5.2 e P.0/24.1 e4.1 e1 RTS 10.0.P.11 Wireless computer 10.0.P.21

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Lab 4 Visual Objective 10.0.P.0 /24 Pod P (1–10) pP pub cP Corporate server/ACS 10.0.P.10 priv.5.2 e P.0/24.1 e4.1 e1 RTS 10.0.P.11 Wireless computer 10.0.P.21