资源描述
Slide Title,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,Implement Wireless Scalability,Introducing 802.1x,The Need for WLAN Security,The Need for WLAN Security,IEEE 802.11 equipment is widely available and inexpensive.,The 802.11 standard is designed for ease of use and deployment.,Many,sniffers,are available.,Statistics on WLAN security are not encouraging.,Media reports about hot spots, WLAN hacking, and war driving are frequent.,Encryption is not optimally implemented in standard WEP.,Authentication is vulnerable.,Security MethodsAuthentication and Encryption,Security MethodsAuthenticationand Encryption,Authentication:,Proves that you belong on the network,Encryption:,Protects the data traversing the network,Both authentication and encryption are needed and mandated by standards.,WLAN Security Issues,Rogue access points,Weakness of older forms of security:,Service set identifier (SSID),Authentication controlled by MAC,Static WEP keys,Nonmutual,authenticationone way only,WEP Attacks,Weak, static WEP key,Passive or weak initialization vector (IV) attack details,Active or “bit flipping” and replay attack,Authentication dictionary attacks,Overview of WLAN Security,802.11 WEP,IEEE standard for encryption,Uses RC4 algorithmknown vulnerabilities,Keys can be static and shared among many clients,Or keys can be dynamic and unique for each client(as with 802.1x) per session,802.11 Open Authentication,802.11 Shared Key Authentication,Cisco Enhanced 802.11 WEP Security,Cisco Enhanced 802.11 WEP Security,Cisco,Prestandard,enhancements,Implemented in 2001 and 2002,Authentication:,802.1x and Extensible Authentication Protocol (EAP) protocols,User, token, machine credentials,Dynamic encryption key generation,Encryption:,Cisco Key Integrity Protocol (CKIP),Cisco Message Integrity Check (CMIC),Enhanced 802.11 Security,Encryption:,Temporal Key Integrity Protocol and Message Integrity Check,Wi-Fi Protected Access (WPA)TKIP encryption,WPA2Advanced Encryption Standard (AES),Authentication:,802.1x and Extensible Authentication Protocol (EAP) protocols,User, token, machine credentials,Dynamic encryption key generation,IEEE 802.11i,EncryptionTKIP and MIC,Enhancements to RC4-based WEP:,Key hashing for unique seed values per packet,MIC from Michael algorithm,Broadcast key rotation,Key hashing protects against WEP initialization vector vulnerabilities, whereas MIC protects against man-in-the-middle or replay attacks.,EncryptionAES,Specified in 802.11i,128-bit block ciphercryptographically more robustthan RC4,Part of WPA2,Requires new radio cards on clients and access points because more CPU power is required,802.1x Overview,802.1x Authentication Overview,Extensible and Interoperable supports:,Different EAP authentication methods or types,May be used with multiple encryption algorithms,Depends on client capability,Supported by Cisco since December 2000.,802.1x Authentication Key Benefits,Mutual authentication between client and authentication (RADIUS) server,Encryption keys derived after authentication,Centralized policy control,802.1x and EAP Authentication Protocols,Lightweight Extensible Authentication Protocol(LEAP)EAP Cisco Wireless,EAP-Flexible Authentication via Secure Tunneling(EAP-FAST),EAP-Transport Layer Security (EAP-TLS),Protected EAP (PEAP):,PEAP-GTC,PEAP-MSCHAPv2,Components Required for 802.1x Authentication,Authentication server = EAP-capable RADIUS server:,Cisco Secure ACS, Microsoft IAS, Meetinghouse Aegis,Local authentication service on Cisco IOS access point,May use either local RADIUS database or an external database server such as Microsoft Active Directory or RSA,SecurID,Authenticator = 802.1x-capable access point,Supplicant = EAP-capable client:,Requires 802.1x-capable driver,Requires an EAP supplicanteither available with client card, native in operating system, or from third-party software,EAP-Cisco Wireless,Cisco LEAP,Client support:,Windows 98-XP, Windows CE, Macintosh OS 9.X or 10.X, and Linux Kernel 2.2 or 2.4,Cisco Compatible Extensions Clients (CCXv1),RADIUS server:,Cisco Secure ACS and Cisco Access Registrar,Meetinghouse Aegis,Interlink Merit,Microsoft domain or Active Directory (optional) for back-end authentication (must be Microsoft format database),Device support:,Cisco autonomous access points and bridges,Cisco lightweight access points and WLAN controllers,Cisco Unified Wireless IP Phone 7920 (VoIP) handset,Cisco LEAP Authentication,EAP-FAST,EAP-FAST: Flexible Authentication via Secure Tunneling,Considered in three phases:,Protected access credential is generated in phase 0 (Dynamic PAC provisioning),Unique shared credential used to mutually authenticate client and server,Associated with a specific user ID and an authority ID,Removes the need for PKI,A secure tunnel is established in phase 1,Client is authenticated via the secure tunnel in phase 2,EAP-FAST Authentication,EAP-TLS,EAP-TLS,Client support:,Windows 2000, XP, and Windows CE (natively supported),Non-Windows platforms: Third-party supplicants (Meetinghouse),User certificate required for each client,Infrastructure requirements:,EAP-TLS supported RADIUS server,Cisco Secure ACS, Cisco Access Registrar, Microsoft IAS, Aegis, Interlink,RADIUS server requires a server certificate,Certificate authority server (PKI),Certificate management:,Both client and RADIUS server certificates to be managed,EAP-TLS Authentication,EAP-PEAP,EAP-PEAP,Hybrid authentication method:,Server-side authentication with TLS,Client-side authentication with EAP authentication types,EAP-GTC,EAP-MSCHAPv2,Clients do not require certificates.,RADIUS server requires a server certificate:,RADIUS server has self-issuing certificate capability.,Purchase a server certificate per server from PKI entity.,Set up a simple PKI server to issue server certificates.,Allows for one-way authentication types to be used:,One-time passwords,Proxy to LDAP, Unix, Microsoft Windows NT and Active Directory, Kerberos,EAP-PEAP Authentication,Wi-Fi,Protected Access,Wi-Fi Protected Access,WPA introduced in late 2003,Prestandard,implementation of IEEE 802.11i WLAN security,Addresses currently known security problems with WEP,Allows software upgrade on deployed 802.11 equipment to improve security,Components of WPA:,Authenticated key management using 802.1x: EAP authentication and,preshared,key authentication,Unicast and broadcast key management,Standardized Temporal Key Integrity Protocol (TKIP) per-packet keying and message integrity check (MIC) protocol,Initialization vector space expansion: 48-bit initialization vectors,Migration modecoexistence of WPA and non-WPA devices (optional implementation that is not required for WPA certification),802.11i and WPA Authentication and Key Management Overview,WPA Issues,WPA uses TKIP, which uses the same base encryption algorithmRC4as WEP.,WPA cannot avoid the design flaws of WEP entirely.,WPA, is in the end, a compromise solution.,Software upgrade is required for clients and access points, which gives no guarantee that all vendors will support the solution.,Operating system support or a supplicant client is required.,WPA is susceptible to a new type of DoS attack.,WPA is susceptible to a recently discovered weakness when preshared keys are used.,IEEE 802.11iWPA2,802.11i:,Ratified in June 2004,Standardizes:,802.1x for authentication,AES encryptionFacilitates U.S. government FIPS 140-2 compliance,Key management,WPA2:,Supplement to WPA “version 1”,Wi-Fi,Alliance interoperable implementation of 802.11i,Provides for AES encryption to be used,Proactive Key Caching,Third-party testing and certification for WLAN device compatibility,Wireless Intrusion Detection Systems,Address RF-related vulnerabilities:,Detect, locate, mitigate rogue devices,Detect and manage RF interference,Detect reconnaissance if possible,Address standards-based vulnerabilities:,Detect management frame and hijacking style attacks,Enforce security configuration policies,Complementary functionality:,Forensic analysis,Compliance reporting,WPA and WPA2 Modes,WPA,WPA2,Enterprise mode,(business, education, government),Authentication: IEEE 802.1x/EAP,Encryption: TKIP/MIC,Authentication: IEEE 802.1x/EAP,Encryption: AES-CCMP,Personal mode,(SOHO, home/personal),Authentication: PSK,Encryption: TKIP/MIC,Authentication: PSK,Encryption: AES-CCMP,WPA2 Issues,Client (supplicant) must have a WPA2 driver that supports EAP.,RADIUS server must understand EAP.,PEAP carries EAP types within a channel secured by TLS and so requires a server certificate.,WPA2 is more compute-intensive with optional AES encryption.,WPA2 may require new WLAN hardware to support AES encryption.,Summary,Authentication and encryption are the two primary facilities for securing the WLAN.,Encryption is the method of ensuring that data remains uncorrupted throughout the sending and receiving process.,Encryption using static WEP keys is very vulnerable.,EAP and the 802.1x standards are designed to leverage existing standards.,The LEAP authentication process is mutual because the client needs to authenticate the server and the server needs to authenticate the client.,Summary (Cont.),With EAP-FAST, the wireless client associates with access point using open authentication.,EAP-TLS uses authentication derived from digital certificates for user and server authentication.,PEAP uses user authentication with OTP or static password.,WPA has two different modes: Enterprise and Personal. Both modes provide encryption support and user authentication.,WPA2 is similar to WPA but supports AES encryption.,
展开阅读全文