Implementing Network Security Wireless Security Segway Steve Lamb

Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor http: //blogs. msdn. com/steve_lamb stephlam@microsoft. com

So what’s the problem? • WEP is a euphemism – Wired – Equivalent – Privacy • Actually, it’s a lie – It isn’t equivalent to “wired privacy” at all! – How can you secure the air? • Thus: WEP’s v. poor http: //www. isaac. cs. berkeley. edu/isaac/wep-faq. html

WLAN Security Challenges Unsecured WLAN Company Servers WLAN Access Point Mobile Employee mailto: boss@company. tld m os ailto m s@ : b pa c n o d y. tl Evil Hacker N • Most wireless LANs are unsecured

WLAN Security Challenges Weak Security in 802. 11 Static WEP X 7!g%k 0 j 37**54 bf(jv&8 g. F… X 7 37* !g%k 0 * &8 54 bf j (jv g. B )£F. .

Other 802. 11 Challenges • Access Points are dim! • Key Management (!!!!) – Manual update = never changed! • Access Control with MAC address filtering – = NO SECURITY! • Neither is scalable Authentication Authorization Data Protection Audit

WLAN Security Challenges Weak Security in 802. 11 Static WEP • Static WEP key easily obtained for encryption / authentication X 7!g%k 0 j 37**54 bf(jv&8 g. F… X 7!g % 37**5 k 0 j 4 bf(j v &8 g. B )£F. . N X 7!g%k 0 j 37**54 bf(jv &8 g. B)£F. .

WLAN Security Challenges Weak Security in 802. 11 Static WEP • Man in the middle attacks are difficult to detect & prevent X 7!g %k 0 j 37** ** 0 j 37 k % g X 7! N Rogue Network

Alternatives to WEP

VPNs • Pros – Familiarity – Hardware Independent – Proven Security • Cons – Lacks user transparency – Only user logon (not computer) – Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop – No reconnect on resume from standby – Complex network structure

VPNs • More Cons – No protection for WLAN – Bottleneck at VPN devices – Higher management & hardware cost – Prone to disconnection • Yet more cons! (non. MS VPNs) – 3 rd party licensing costs – Client compatibility – Many VPN auth schemes (IPsec Xauth) are as bad as WEP!

PEAP encapsulation 1. Server authenticates to client 2. Establishes protected tunnel (TLS) 3. Client authenticates inside tunnel to server • No cryptographic binding between PEAP tunnel and tunneled auth. N method • Fix: constrain client (in GPO) to trust only a specific corporate root CA – Foils potential Mit. M attacks

EAP architecture Kerberos PEAP Secur. ID GSS_API TLS MS-CHAPv 2 TLS IKE MD 5 EAP layer EAP PPP 802. 3 802. 5 method layer 802. 11 Anything… media layer

802. 1 X over 802. 11 Supplicant Gotta get on! Authentication Server Authenticator 802. 11 association Calculating my key… EAPOL-start (Wow I just don’t understand this EAP-request/identity new maths!) Access blocked Calculating this guy’s key… EAP-response/identity RADIUS-access-request EAP-request RADIUS-access-challenge EAP-response (credentials) RADIUS-access-request EAP-success RADIUS-access-accept EAPOW-key (WEP) Access allowed

Session Summary • Windows XP has great wireless security features • There’s extensive prescriptive guidance available from our website • Don’t be scared of wireless!

Next Steps • Find additional security training events: http: //www. microsoft. com/seminar/events/security. mspx • Sign up for security communications: http: //www. microsoft. com/technet/security/signup/ default. mspx • Check out Security 360 http: //www. microsoft. com/seminar/events/series/mikenash. mspx • Get additional security tools and content: http: //www. microsoft. com/security/guidance

Resources • • • Microsoft Wi-Fi Page: http: //www. microsoft. com/wifi The Unofficial 802. 11 Security Web Page http: //www. drizzle. com/~aboba/IEEE/ Intercepting Mobile Communications: The Insecurity of 802. 11 http: //www. drizzle. com/~aboba/IEEE/wep-draft. zip Fluhrer, Mantin, Shamir WEP Paper: http: //www. crypto. com/papers/others/rc 4_ksaproc. pdf Wi. Fi Planet: http: //www. wi-fiplanet. com/ Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) http: //www. microsoft. com/technet/security/guidance/peap_0. mspx Microsoft Solution for Securing Wireless LANs with Certificates http: //www. microsoft. com/technet/security/prodtech/win 2003/pkiwire/swlan. mspx Wifi for SOHO Environments http: //www. microsoft. com/technet/prodtechnol/winxppro/maintain/wifisoho. mspx

Credits • Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I “borrowed” several of their slides!

Questions and Answers