ONT10无线QOSS06L02.ppt

《ONT10无线QOSS06L02.ppt》由会员分享，可在线阅读，更多相关《ONT10无线QOSS06L02.ppt（44页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Implement Wireless Scalability,Introducing 802.1x,The Need for WLAN Security,The Need for WLAN Security,IEEE 802.11 equipment is widely available and inexpensive. The 802.11 standard is designed for ease of use and deployment. Many sniffers are available. Statistics on WLAN security are not encourag

2、ing. Media reports about hot spots, WLAN hacking, and war driving are frequent. Encryption is not optimally implemented in standard WEP. Authentication is vulnerable.,Security MethodsAuthentication and Encryption,Security MethodsAuthenticationand Encryption,Authentication: Proves that you belong on

3、the network Encryption: Protects the data traversing the network Both authentication and encryption are needed and mandated by standards.,WLAN Security Issues,Rogue access points Weakness of older forms of security: Service set identifier (SSID) Authentication controlled by MAC Static WEP keys Nonmu

4、tual authenticationone way only,WEP Attacks,Weak, static WEP key Passive or weak initialization vector (IV) attack details Active or “bit flipping” and replay attack Authentication dictionary attacks,Overview of WLAN Security,802.11 WEP,IEEE standard for encryption Uses RC4 algorithmknown vulnerabil

5、ities Keys can be static and shared among many clients Or keys can be dynamic and unique for each client(as with 802.1x) per session,802.11 Open Authentication,802.11 Shared Key Authentication,Cisco Enhanced 802.11 WEP Security,Cisco Enhanced 802.11 WEP Security,Cisco Prestandard enhancements Implem

6、ented in 2001 and 2002 Authentication: 802.1x and Extensible Authentication Protocol (EAP) protocols User, token, machine credentials Dynamic encryption key generation Encryption: Cisco Key Integrity Protocol (CKIP) Cisco Message Integrity Check (CMIC),Enhanced 802.11 Security,Encryption: Temporal K

7、ey Integrity Protocol and Message Integrity Check Wi-Fi Protected Access (WPA)TKIP encryption WPA2Advanced Encryption Standard (AES) Authentication: 802.1x and Extensible Authentication Protocol (EAP) protocols User, token, machine credentials Dynamic encryption key generation IEEE 802.11i,Encryptio

8、nTKIP and MIC,Enhancements to RC4-based WEP: Key hashing for unique seed values per packet MIC from Michael algorithm Broadcast key rotation Key hashing protects against WEP initialization vector vulnerabilities, whereas MIC protects against man-in-the-middle or replay attacks.,EncryptionAES,Specifi

9、ed in 802.11i 128-bit block ciphercryptographically more robustthan RC4 Part of WPA2 Requires new radio cards on clients and access points because more CPU power is required,802.1x Overview,802.1x Authentication Overview,Extensible and Interoperable supports: Different EAP authentication methods or

10、types May be used with multiple encryption algorithms Depends on client capability Supported by Cisco since December 2000.,802.1x Authentication Key Benefits,Mutual authentication between client and authentication (RADIUS) server Encryption keys derived after authentication Centralized policy contro

11、l,802.1x and EAP Authentication Protocols,Lightweight Extensible Authentication Protocol(LEAP)EAP Cisco Wireless EAP-Flexible Authentication via Secure Tunneling(EAP-FAST) EAP-Transport Layer Security (EAP-TLS) Protected EAP (PEAP): PEAP-GTC PEAP-MSCHAPv2,Components Required for 802.1x Authenticatio

12、n,Authentication server = EAP-capable RADIUS server: Cisco Secure ACS, Microsoft IAS, Meetinghouse Aegis Local authentication service on Cisco IOS access point May use either local RADIUS database or an external database server such as Microsoft Active Directory or RSA SecurID Authenticator = 802.1x

13、-capable access point Supplicant = EAP-capable client: Requires 802.1x-capable driver Requires an EAP supplicanteither available with client card, native in operating system, or from third-party software,EAP-Cisco Wireless,Cisco LEAP,Client support: Windows 98-XP, Windows CE, Macintosh OS 9.X or 10.

14、X, and Linux Kernel 2.2 or 2.4 Cisco Compatible Extensions Clients (CCXv1) RADIUS server: Cisco Secure ACS and Cisco Access Registrar Meetinghouse Aegis Interlink Merit Microsoft domain or Active Directory (optional) for back-end authentication (must be Microsoft format database) Device support: Cis

15、co autonomous access points and bridges Cisco lightweight access points and WLAN controllers Cisco Unified Wireless IP Phone 7920 (VoIP) handset,Cisco LEAP Authentication,EAP-FAST,EAP-FAST: Flexible Authentication via Secure Tunneling,Considered in three phases: Protected access credential is genera

16、ted in phase 0 (Dynamic PAC provisioning) Unique shared credential used to mutually authenticate client and server Associated with a specific user ID and an authority ID Removes the need for PKI A secure tunnel is established in phase 1 Client is authenticated via the secure tunnel in phase 2,EAP-FA

17、ST Authentication,EAP-TLS,EAP-TLS,Client support: Windows 2000, XP, and Windows CE (natively supported) Non-Windows platforms: Third-party supplicants (Meetinghouse) User certificate required for each client Infrastructure requirements: EAP-TLS supported RADIUS server Cisco Secure ACS, Cisco Access

18、Registrar, Microsoft IAS, Aegis, Interlink RADIUS server requires a server certificate Certificate authority server (PKI) Certificate management: Both client and RADIUS server certificates to be managed,EAP-TLS Authentication,EAP-PEAP,EAP-PEAP,Hybrid authentication method: Server-side authentication

19、 with TLS Client-side authentication with EAP authentication types EAP-GTC EAP-MSCHAPv2 Clients do not require certificates. RADIUS server requires a server certificate: RADIUS server has self-issuing certificate capability. Purchase a server certificate per server from PKI entity. Set up a simple P

20、KI server to issue server certificates. Allows for one-way authentication types to be used: One-time passwords Proxy to LDAP, Unix, Microsoft Windows NT and Active Directory, Kerberos,EAP-PEAP Authentication,Wi-Fi Protected Access,Wi-Fi Protected Access,WPA introduced in late 2003 Prestandard implem

21、entation of IEEE 802.11i WLAN security Addresses currently known security problems with WEP Allows software upgrade on deployed 802.11 equipment to improve security Components of WPA: Authenticated key management using 802.1x: EAP authentication and preshared key authentication Unicast and broadcast

22、 key management Standardized Temporal Key Integrity Protocol (TKIP) per-packet keying and message integrity check (MIC) protocol Initialization vector space expansion: 48-bit initialization vectors Migration modecoexistence of WPA and non-WPA devices (optional implementation that is not required for

23、 WPA certification),802.11i and WPA Authentication and Key Management Overview,WPA Issues,WPA uses TKIP, which uses the same base encryption algorithmRC4as WEP. WPA cannot avoid the design flaws of WEP entirely. WPA, is in the end, a compromise solution. Software upgrade is required for clients and

24、access points, which gives no guarantee that all vendors will support the solution. Operating system support or a supplicant client is required. WPA is susceptible to a new type of DoS attack. WPA is susceptible to a recently discovered weakness when preshared keys are used.,IEEE 802.11iWPA2,802.11i

25、: Ratified in June 2004 Standardizes: 802.1x for authentication AES encryptionFacilitates U.S. government FIPS 140-2 compliance Key management WPA2: Supplement to WPA “version 1”Wi-Fi Alliance interoperable implementation of 802.11i Provides for AES encryption to be used Proactive Key Caching Third-

26、party testing and certification for WLAN device compatibility,Wireless Intrusion Detection Systems,Address RF-related vulnerabilities: Detect, locate, mitigate rogue devices Detect and manage RF interference Detect reconnaissance if possible Address standards-based vulnerabilities: Detect management

27、 frame and hijacking style attacks Enforce security configuration policies Complementary functionality: Forensic analysis Compliance reporting,WPA and WPA2 Modes,WPA2 Issues,Client (supplicant) must have a WPA2 driver that supports EAP. RADIUS server must understand EAP. PEAP carries EAP types withi

28、n a channel secured by TLS and so requires a server certificate. WPA2 is more compute-intensive with optional AES encryption. WPA2 may require new WLAN hardware to support AES encryption.,Summary,Authentication and encryption are the two primary facilities for securing the WLAN. Encryption is the me

29、thod of ensuring that data remains uncorrupted throughout the sending and receiving process. Encryption using static WEP keys is very vulnerable. EAP and the 802.1x standards are designed to leverage existing standards. The LEAP authentication process is mutual because the client needs to authentica

30、te the server and the server needs to authenticate the client.,Summary (Cont.),With EAP-FAST, the wireless client associates with access point using open authentication. EAP-TLS uses authentication derived from digital certificates for user and server authentication. PEAP uses user authentication with OTP or static password. WPA has two different modes: Enterprise and Personal. Both modes provide encryption support and user authentication. WPA2 is similar to WPA but supports AES encryption.,