Figure 2.78 Creating the WPA Connection to the Access Point Figure 2.79 The WPA Connection Is Made At this point, you are running in a debug mode to ensure that everything is cor- rect. Kill this connection with the ctrl + c command. Rerun the same command with the –B option instead of –d to run wpa_supplicant in daemon mode, which will show you no debug output and allows you to run additional commands from the www.syngress.com 70 Chapter 2 • Wireless Security command prompt (see Figure 2.80).You will need to set a static IP for the network you are connected to using the ifconfig command, or issue the dhcpcd or dhclient com- mands on the wlan0 interface to get a DHCP address and make the connection. Figure 2.80 Daemon Mode and Obtaining an IP Address Notes from the Underground… Enabling Security Features on the Xbox Many Xbox owners like to take advantage of the Xbox Live feature. Xbox Live allows gamers to connect their Xboxes to the Internet and play selected games against online opponents. Since the Xbox is often connected to a TV that isn’t necessarily in the same room with most of the household computer equipment, wireless networking is a natural choice for this connection. Several available wireless bridges (such as the Linksys WET 11 Wireless Ethernet Bridge) will connect the Xbox to a home network. These devices must be configured to use the wireless network’s security features. First, log in to the WET 11. By default, the WET 11 is configured to use the IP address 192.168.1.251 (see Figure 2.81). www.syngress.com Wireless Security • Chapter 2 71 Continued Figure 2.81 The Linksys WET 11 Initial Setup Screen Enter the SSID for your wireless network in the SSID text box, and then select the Enable radio button next to WEP (see Figure 2.82). Click the WEP Settings button to open the Shared Keys window (see Figure 2.83). Select 128 bit 26 hex digits from the drop-down box, and then enter the WEP keys that your wireless network uses. The WEP keys can be entered in either of two ways: ■ Generate the keys using the same passphrase used to generate the keys on your access point. ■ Manually enter the WEP keys that your access point uses. Next, click the Apply button on the Shared Keys window and the initial setup screen to save your settings. Finally, add the MAC address of your WET 11 to your allowed MAC address list on your access point. www.syngress.com 72 Chapter 2 • Wireless Security Continued Figure 2.82 Set the SSID and Enable WEP Figure 2.83 Enter the WEP Keys www.syngress.com Wireless Security • Chapter 2 73 Understanding and Configuring 802.1X RADIUS Authentication To provide better security for wireless LANs and in particular to improve the secu- rity of WEP, a number of existing technologies used on wired networks were adapted for this purpose, including: ■ Remote Authentication and Dial-In User Service (RADIUS) Provides for centralized authentication and accounting. ■ 802.1X Provides a method of port-based authentication to local area net- work (LAN) ports in a switched network environment. These two services are used in combination with other security mechanisms, such as those provided by the Extensible Authentication Protocol (EAP), to further enhance the protection of wireless networks. Like MAC filtering, 802.1X is imple- mented at Layer 2 of the Open System Interconnection (OSI) model: It will prevent communication on the network using higher layers of the OSI model if authentica- tion fails at the MAC layer. However, unlike MAC filtering, 802.1X is very secure, since it relies on mechanisms that are much harder to compromise than MAC address filters, which can be easily compromised through spoofed MAC addresses. Although a number of vendors implement their own RADIUS servers, security mechanisms, and protocols for securing networks through 802.1X, such as Cisco’s LEAP and Funk Software’s EAP-TTLS, this section focuses on implementing 802.1X on a Microsoft network using Internet Authentication Services (IAS) and Microsoft’s Certificate Services. Keep in mind, however, that wireless security stan- dards are a moving target, and standards other than those discussed here, such as the PEAP, are being developed and might be available by the time this book is published or in the near future. Microsoft RADIUS Servers Microsoft’s IAS provides a standards-based RADIUS server and can be installed as an optional component on Microsoft Windows 2000 and Net servers. Originally designed to provide a means to centralize the authentication, authorization, and accounting for dial-in users, RADIUS servers are now used to provide these services for other types of network access, including virtual private networks (VPNs), port- based authentication on switches, and, it’s important to note, wireless network access. IAS can be deployed within Active Directory to use the Active Directory database to centrally manage the login process for users connecting over a variety of network www.syngress.com 74 Chapter 2 • Wireless Security types. Moreover, multiple RADIUS servers can be installed and configured so that secondary RADIUS servers will automatically be used in case the primary RADIUS server fails, thus providing fault tolerance for the RADIUS infrastructure. Although RADIUS is not required to support the 802.1X standard, it is a preferred method for providing the authentication and authorization of users and devices attempting to connect to devices that use 802.1X for access control. The 802.1X Standard The 802.1X standard was developed to provide a means of restricting port-based Ethernet network access to valid users and devices. When a computer attempts to connect to a port on a network device, such as switch, it must be successfully authenticated before it can communicate on the network using the port. In other words, communication on the network is impossible without an initial successful authentication. 802.1X Authentication Ports Two types of ports are defined for 802.1X authentication: authenticator or suppli- cant.The supplicant is the port requesting network access.The authenticator is the port that allows or denies access for network access. However, the authenticator does not perform the actual authentication of the supplicant requesting access.The authenti- cation of the supplicant is performed by a separate authentication service, located on a separate server or built into the device itself, on behalf of the authenticator. If the authenticating server successfully authenticates the supplicant, it will communicate the fact to the authenticator, which will subsequently allow access. An 802.1X-compliant device has two logical ports associated with the physical port: an uncontrolled port and a controlled port. Because the supplicant must ini- tially communicate with the authenticator to make an authentication request, an 802.1X-compliant device will make use of a logical uncontrolled port over which this request can be made. Using the uncontrolled port, the authenticator will forward the authentication request to the authentication service. If the request is successful, the authenticator will allow communication on the LAN via the logical controlled port. The Extensible Authentication Protocol (EAP) EAP is used to pass authentication requests between the supplicant and a RADIUS server via the authenticator. EAP provides a way to use different authentication types in addition to the standard authentication mechanisms provided by the Point-to- Point Protocol (PPP). Using EAP, stronger authentication types can be implemented www.syngress.com Wireless Security • Chapter 2 75 within PPP, such as those that use public keys in conjunction with smart cards. In Windows, there is support for two EAP types: ■ EAP MD-5 CHAP This allows for authentication based on a user- name/password combination. A number of disadvantages are associated with using EAP MD-5 CHAP. First, even though it uses one-way hashes in combination with a challenge/response mechanism, critical information is still sent in the clear, making it vulnerable to compromise. Second, it does not provide mutual authentication between the client and the server; the server merely authenticates the client.Third, it does not provide a mecha- nism for establishing a secure channel between the client and the server. ■ EAP-TLS This is a security mechanism based on X.509 digital certificates that is more secure than EAP MD-5 CHAP.The certificates can be stored in the Registry or on devices such as smart cards. When EAP-TLS authen- tication is used, both the client and the server validate one another by exchanging X.509 certificates as part of the authentication process. Additionally, EAP-TLS provides a secure mechanism for the exchange of keys to establish an encrypted channel. Although the use of EAP-TLS is more difficult to configure in that it requires the implementation of a public key infrastructure (PKI)—not a trivial undertaking—EAP-TLS is recommended for wireless 802.1X authentication. In a paper published in February 2002 by William A.Arbaugh and Arunesh Mishra, An Initial Security Analysis of the IEEE 802.1x Standard, the authors discuss how one-way authentication and other weaknesses made 802.1X vulnerable to man- in-the-middle and session-hijacking attacks.Therefore, although it might be possible to use EAP MD-5 CHAP for 802.1X wireless authentication on Windows XP (pre SP1), it is not recommended. EAP-TLS protects against the types of attacks described by this paper. The 802.1X Authentication Process For 802.1X authentication to work on a wireless network, the AP must be able to securely identify traffic from a particular wireless client.This identification is accom- plished using authentication keys that are sent to the AP and the wireless client from the RADIUS server. When a wireless client (802.1X supplicant) comes within range of the AP (802.1X authenticator), the following simplified process occurs: 1. The AP point issues a challenge to the wireless client. 2. The wireless client responds with its identity. www.syngress.com 76 Chapter 2 • Wireless Security 3. The AP forwards the identity to the RADIUS server using the uncon- trolled port. 4. The RADIUS server sends a request to the wireless station via the AP, specifying the authentication mechanism to be used (for example, EAP- TLS). 5. The wireless station responds to the RADIUS server with its credentials via the AP. 6. The RADIUS server sends an encrypted authentication key to the AP if the credentials are acceptable. 7. The AP generates a multicast/global authentication key encrypted with a per-station unicast session key and transmits it to the wireless station. Figure 2.84 shows a simplified version of the 802.1X authentication process using EAP-TLS. Figure 2.84 The 802.1X Authentication Process Using EAP-TLS When the authentication process successfully completes, the wireless station is allowed access to the controlled port of the AP and communication on the network can occur. Note that much of the security negotiation in the preceding steps occurs on the 802.1X uncontrolled port, which is only used so that the AP can forward traffic associated with the security negotiation between the client and the RADIUS www.syngress.com Wireless Security • Chapter 2 77 server. EAP-TLS is required for the process to take place. EAP-TLS, unlike EAP MD-5 CHAP, provides a mechanism to allow the secure transmission of the authen- tication keys from the RADIUS server to the client. Advantages of EAP-TLS There are a number of significant advantages to using EAP-TLS authentication in conjunction with 802.1X: ■ The use of X.509 digital certificates for authentication and key exchange is very secure. ■ EAP-TLS provides a means to generate and use dynamic one-time-per- user, session-based WEP keys on the wireless network. ■ Neither the user nor the administrator knows the WEP keys that are in use. For these reasons, using EAP-TLS for 802.1X authentication removes much of the vulnerability associated with using WEP and provides a high degree of assurance. In the following section, we will look at how to configure 802.1X using EAP- TLS authentication on a Microsoft-based wireless network. If you are using other operating systems and software, the same general principles will apply. However, you might have additional configuration steps to perform, such as the installation of 802.1X supplicant software on the client. Windows XP provides this software within the operating system. Configuring 802.1X Using EAP-TLS on a Microsoft Network Before you can configure 802.1X authentication on a wireless network, you must satisfy a number of prerequisites. At a minimum, you need the following: ■ An AP that supports 802.1X authentication You probably won’t find these devices at your local computer hardware store.They are designed for enterprise-class wireless network infrastructures and are typically higher priced. Note that some devices will allow the use of IPSec between the AP and the wired network. ■ Client software and hardware that supports 802.1X and EAP-TLS authentication and the use of dynamic WEP keys Fortunately, just about any wireless adapter that allows the use of the Windows XP wireless interface will work. However, older wireless network adapters that use their own client software might not work. www.syngress.com 78 Chapter 2 • Wireless Security ■ IAS installed on a Windows 2000 server This provides a primary RADIUS server and, optionally, is installed on other servers to provide sec- ondary RADIUS servers for fault tolerance. ■ Active Directory ■ A PKI using a Microsoft stand-alone or Enterprise Certificate server to support the use of X.509 digital certificates for EAP-TLS More certificate servers can be deployed in the PKI for additional security. An Enterprise Certificate server can ease the burden of certificate deploy- ment to clients and the RADIUS server through auto-enrollment of client computers that are members of the Windows 2000 domain. ■ The most recent service packs and patches installed on the Windows 2000 servers and Windows XP wireless clients After you configure a PKI and install IAS on your Windows 2000 network, there are four general steps to configure 802.1X authentication on your wireless network: 1. Install X.509 digital certificates on the wireless client and IAS servers. 2. Configure IAS logging and policies for 802.1X authentication. 3. Configure the wireless AP for 802.1X authentication. 4. Configure the properties of the client wireless network interface for dynamic WEP key exchange. Configuring Certificate Services and Installing Certificates on the IAS Server and Wireless Client After you deploy Active Directory, the first step in implementing 802.1X is to deploy the PKI and install the appropriate X.509 certificates.You will have to install (at a minimum) a single certificate server, either a standalone or enterprise certificate server, to issue certificates. What distinguishes a standalone from an enterprise certifi- cate server is whether it will depend on, and be integrated with, Active Directory. A standalone CA does not require Active Directory.This certificate server can be a root CA or a subordinate CA, which ultimately receives its authorization to issue certifi- cates from a root CA higher in the hierarchy, either directly or indirectly through intermediate CAs, according to a certification path. The root CA can be a public or commercially available CA that issues an autho- rization to a subordinate CA, or it can be one deployed on the Windows 2000 www.syngress.com Wireless Security • Chapter 2 79 [...]... a nondefault IP address range, do not allow configuration changes to be made from a wireless client, and keep your firmware up -to- date Q: I have heard that WPA is vulnerable to dictionary attacks What does this mean? A: A dictionary attack tries to guess the preshared key, password, or passphrase in use by testing it against a list, or dictionary, of words and phrases By using strong passphrases or,... (CRL) to verify and validate certificates, especially certificates that have become compromised before their expiration date and have been added to a CRL If a CRL is not available, authorization will fail Consequently, a primary design consideration for your PKI is to ensure that the CRLs are highly available Normally, the CRL is stored on the CA; however, additional distribution points for the CRL can... network, rather than have dial-in access policies defined on each RRAS server A primary advantage of doing this is easier administration and centralized logging of dial-in access Installing an IAS server also provides a standards-based RADIUS server that is required for 802.1X authentication As with configuring RRAS, you will need to add and configure a Remote Access Policy to grant access A Remote Access... measure that you should take Any attacker with a “default” configuration profile is able to associate with an access point that has a default SSID Assigning a unique SSID in and of itself doesn’t offer much protection, but it is one layer in your wireless defense Many attackers use active wireless scanners to discover target wireless networks Active scanners rely on the access point beacon to locate it.This... major threats wireless technologies introduce into the workplace and presents strategies to properly reduce and mitigate these threats Intruders Accessing Legitimate Access Points At this stage in the game, the decision has been made to implement a wireless network at your organization Hopefully the design and implementation of the wireless network was carefully thought out and security was a primary... low amount of wireless network traffic that is usually generated on a home wireless network, it would take an attacker an extremely long time to capture enough packets to successfully crack the WEP key of your network An attacker is unlikely to devote the required time and effort to cracking the WEP key on a home network when there are so many other home networks that have no security measures enabled... RADIUS Authentication Solutions Fast Track Enabling Security Features on a Linksys WRT54G, a D-Link DI-624 AirPlus Xtreme G, an Apple Airport Extreme, and a Cisco 1100 Series Access Point These have been consolidated because they are the recommendations for securing any AP/router and are not specific to a particular hardware: Assigning a unique SSID to your wireless network is the first security measure... encryption and dynamically changing keys that make the process of cracking your encryption key more difficult Only a dictionary attack is possible at this time, so ensure that your passkey/passphrase is robust and not a common dictionary word Filtering by Media Access Control (MAC) address allows only wireless cards that you specifically designate to access your wireless network Again, it is possible to spoof... consideration, but we know that these factors are not always the reality Unfortunately, in a rush to implement a new, cool technology, security is often an afterthought Since the radio frequency (RF) waves that carry a signal cannot be physically contained within the bounds of a specific office building or other geographic location, a wireless network essentially extends your organization’s network as far as... to him when there are large amounts of vulnerable wireless networks he can hide among? www.syngress.com 1 03 104 Chapter 3 • Dangers of Wireless Devices in the Workplace NOTE In a rather bizarre criminal case in Canada, police officers stopped a man in his vehicle who was driving the wrong way down a one-way street The man was found to be naked from the waist down, holding a laptop with a wireless card . through intermediate CAs, according to a certification path. The root CA can be a public or commercially available CA that issues an autho- rization to a subordinate CA, or it can be one deployed. (CRL) to verify and vali- date certificates, especially certificates that have become compromised before their expiration date and have been added to a CRL. If a CRL is not available, authoriza- tion. port- based authentication on switches, and, it’s important to note, wireless network access. IAS can be deployed within Active Directory to use the Active Directory database to centrally manage the