WLAN Information Security

hotbroodSecurity

Nov 3, 2013 (3 years and 10 months ago)

90 views

CSC


Tieteen tietotekniikan keskus Oy

CSC


IT Center for Science Ltd.

WLAN Information Security

Skopje
-

15.09.2011

Wenche

Backman
-
Kamila

WPA2

Let’s

clean

up

the
mess
!

web
-
authentication

Agenda


The
physical

interface


Authentication


Encryption


Traffic

management


Recommendations

and
comments

The
physical

interface


Licence
-
free

frequency

bands


2,4


2,5
GHz

(802.11b/g/n)


5,2


5,7
GHz

(802.11a/n)


Threaths


Interference

from


Microwave

owens

and
motion

sensors


Bluetooth
,
other

wireless

equipment
,
other

WLANs


RF
jammers


DoS

attacks

(
assosiation

or

EAPOL
Start
)

AUTHENTICATION

Overall

security

of
authentication

methods

802.1x
networks

-

alternatives


802.1x is
based

on EAP


EAP
alternatives


TLS


Requires

personal

certificates

but

no
username

and
password


TTLS, PEAP and FAST


Authentication

based

on
username

and
password

Supplicant

configuration

considerations


In 802.1x
authentication

is made
with

a
supplicant


For 802.1x to
be

really

secure

pay

attention

to
which

server

certificate

is
used


In the
supplicant


Define

correct

CA


Define

server

name


Information security risks in
web
-
authentication



The authenticity of the login page cannot
be verified



User IDs and passwords can be
intercepted and sessions hijacked.


Authentication

considerations



Content

of
database


Eliminate

authentication

with

shared

user

identities



Impact

of
compromised

credentials



ENCRYPTION

Wireless
security

vs

wired

security


Signals

from

Access
Points

can

be

captured

at the air
interface


Information

security

risks


Sniffing


Spoofing


Probing

More

security

risks



and
countermeasures


Firesheep


Users

may

get

their

profiles

to
e.g
.
Facebook

hijacked


Countermeasures


VPN
encryption


High

requirements

on the VPN
server


Performance

usually

drops


-
>
Link
-
layer

encryption

Overview

of
encryption

development

Personal

and Enterprise



WPA
-
Personal

WPA2
-
Personal (=WPA
-
PSK WPA2
-
PSK)



WPA
-
Enterprise

WPA2
-
Enterprise
(=802.1x)


Details

on WPA
-
TKIP and
WPA2
-
AES

WPA
-
TKIP


regular key rotation


per
-
frame key mixing


a frame sequence
counter to protect against
replay attacks


an improved message
integrity check algorithm.



WPA2
-
AES


Actually AES
-
CCMP at
link layer


A single component
handles


per
-
frame key management


integrity checks


TKIP
-
vulnerability


End

of 2008


Injecting

false

messages

of a
few

types

(
e.g
.
ARP)
possible


September

2009


Forging

short

encypted

packes

(
e.g
. ARP
messages
) in
shorter

time

(1 min
vs

12 min)


Increased

likelihood

of session
being

hijacked


Although

encryption

key

never

exposed


-
>
use

only

WPA2
-
AES

Wi
-
Fi

alliance

and WPA
-
TKIP


Wi
-
Fi

alliance

will

abandon

WPA
-
TKIP in
stages

2011
-
2014.


Encryption

conclusions


Always

use

the
most

secure

encryption

method

WPA2
-
AES


Why
?


When

all

use

the
same

method

configuration

becomes

easier


The
Wi
-
Fi

alliance

is
discontinuing

support

of
WPA
-
TKIP


For
access

to
intranets

etc.
include

also

VPN
encryption

TRAFFIC

MANAGEMENT

Authorisation


Minimum

requirement

is Internet
access


Separate

VLAN for
own

users

and
visitors



@
myorganisation

more

rights

and
privilegies


Check

VLANs

carefully


no
protected

networks

or

machines

using

the
same

VLAN



MAC
address

blacklisting


Information security and stability can be
improved


by stopping


Too frequent authentication requests


Spreading a worm


constantly receiving new IP
-
addresses


by handling notifications of copyright
violations


The user should be notified of blacklisting

Other

restrictions


SMTP


Only

access

to
own

servers

allowed


Block

connections

from

the Internet


Block

devices

from

acting

as DHCP
servers


Make

terminals

communicate

with

each

other

through

the AP

RECOMMENDATIONS

Regarding

authentication


Inform

of the
weaknesses of unencrypted
networks


and of the need to switch to 802.1x


Consider

implications

of
stolen

passwords


Or

use

different

passwords

for WLAN


Grant
access

to VPN
without

web
-
authentication


Don’t

allow

use

of
unencrypted

protocols

in
unencrypted

networks


Comments

regarding

authentication


Open

networks

are

misused

and
copywright

infringements

occur


MAC
address

blacklisting

improves

security

and
stability

Regarding

encryption


Use

only

WPA2
-
AES


If

you

have

VERY
good

reasons

allow

also

WPA
-
TKIP


Acknowledge

supplicant

configuration

implications


Unencrypted

networks

are

risky


Open

networks


Pre
-
shared

key

networks


Web
-
authenticated

networks

References and contact
info


Main reference


WLAN
Information Security

BPD


http://www.terena.org/campus
-
bp/bpd.html



Wenche.Backman
-
Kamila@csc.fi