Management Frame Protection (MFP) can be used to protect against the flooding of probe requests or transmissions. MFP comes in 2 forms, infrastructure and client.
In infrastructure MFP mode controllers generate a signature for each WLAN which is added to each management frame sent. Any attempt to alter this or frames with an unknown SSID are detected by the MIC (Message Integrity Check), an alarm is generated and the controller instructs the AP to drop the frame.
In client mode the client can be configured to detect and drop spoofed or invalid management frames. To support this CCX v5 must be used and WPA2 with TKIP or AES must be used.
Passive vs Active attacks. An Active attack is when the hacker is actively interacting with clients, the AP or the network in real time. A passive attack is usually wireless sniffing, for information gathering, either online (on the fly) or offline for analysis later.
IDS / IPS is used to guard against passive attacks.
Authentication:
The act of identifying a device or person. It should be based on something you know (username and passwords), Something you have (smart card / crypto token) or something you are (biometrics / retina scan etc). Authentication can be per user or per device (certificates).
Two types of authentication are open and shared-key. Open authentication is as it is, you only need the SSID, shared authentication relies on a clear text challenge from the AP, which is then encrypted by the clients WEP key and sent back, if it matches the challenge encrypted by the APs WEP key the user is authenticated. This is not secure as the WEP key can be worked out by a hacker snooping the clear tect challenge, then the encrypted challenge and decipher the WEP key.
EAP can be configured instead as a method of authentication. The AP can be configured to use a RADIUS server, LDAP server or for local-EAP where it does the authenticator and authentication server. Local-EAP supports LEAP, EAP-FAST and EAP-TLS, it is usually used as a backup if the RADIUS server becomes unavailable. A local user director or LDAP directory can be used. Here is the EAP process:
- Association request from Client to AP then the AP responds with the authentication response
- The EAPOL (over LAN) process starts with an EAPOL request send from the AP to client
- The client responds to the AP with an EAPOL response, which the AP forwards to the RADIUS server.
- The Server sends a EAP request to the client via the AP, the client sends and EAP response back
- If the EAP response is good the server sends back an EAP success and the encryption keys
Certificates and PKI (Public Key Infrasturcture):
Some flavours of EAP require certificates to be used as authentication credentials, this means you must have PKI in your network. A PKI requires a certificate server which issues certificates to devices or users. Certificates consist of a public key private key pair.
Symmetric keys are both the same, where as Asymmetric the encrypt (public) and decrypt (Private) keys are different. PKI uses asymmetric keys. The certificate server is called the Certificate Authority (CA), this should be trusted by both parties in authentication.
EAP-TLS:
Is the most secure and also most complicated. Certificates must be installed on both the client and server. Client and authentication server keys must be generated and signed by a PKI, then installed on each device.
EAP-FAST:
Cisco proprietary method of providing the same level of security as EAP-TLS but no PKI or certifictes are needed. It instead creates an encrypted tunnel. the server generates a PAC (Protected Access Credential), this is used in the same way as the key pair used in EAP-TLS. The PAC contains PAK key (like a private key), PAC opaque used to identify the client and retrieve the PAC key and PAC info which contains information about the server authority ID. After the PAC is used to create the tunnel the client is authenticated with passwords or security tokens.
PEAP:
PEAP is in the middle of EAP-TLS and EAP-FAST. It only requires a certificate on the server. The 2 variations are: PEAP-MSCHAPv2 (uses MSCHAPv2 authentication) and PEAP-GTC (uses generic Token Card authentication). Client identifies itself in plain text. Server sends certificate to client to verify identity, Client generates master key, encrypts it with the public key and a secure tunnel is created. Now the client identifies a second time as the transmissions are protected by the tunnel.
LEAP:
This is was developed by Cisco but made available to other devices through licensing and only uses a username and password. However it is no longer secure due to the ease of breaking it.
No comments:
Post a Comment