Professional Documents
Culture Documents
Course Number
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 1
Agenda
• 802.11 Standards
• WLAN Security Solutions
• WLAN Design Concepts
• Conclusion
WLAN
• Authentication
• Data Privacy
• Open – No Authentication
Issue – Anyone can be authenticated
• Shared – Use WEP Key to encrypt AP Challenge
Issue – Easy to determine WEP Key
• Assumed Authentication Methods - SSID, MAC Address
Issue – SSID – Association, never intended for security
Issue – MAC – Sent in clear, very easily spoofed
• Published Papers – University of Maryland, April 2001
WEP Key never sent over the wire, derived by end station & Authentication server
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14
802.11i & WPA Encryption Algorithms
WLAN
Encrypted IP
VPN Concentrator
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
Security
DISA Enclave Security
DISA Enclave
Base
Base
Hangar
WLAN(s)
WLAN
Security WLAN
Enclave Security
Enclave
Base
WLAN(s) Conf Room
WLAN(s) Other
WLAN(s)
Network
Control
Center
Authentication
L3 Switch Server
Backbone
Network
WLSE
WLAN VLAN
Wired VLANs
Bldg1 Bldg2
Management Console
ACS, WLSE & IDS
100.100.100.0 – WLAN
Bldg1 200.200.200.0 - Wired
Backbone
Bldg2
100.100.101.0 – WLAN 100.100.102.0 – WLAN
200.200.201.0 - Wired 100.100.103.0 - WLAN
Hangars 200.200.202.0 - Wired
AP – VLAN 103
Bldg3
Wired
Users
ROAM ROAM
VLAN 201
Bldg5
VLAN 101 Wired
Conference Rooms AP – VLAN 102 Users
VLAN 202
ROAM
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Bldg4 Bldg6 24
Wireless IPSec
VPN
Concentrator
WLAN
Security
Enclave Network
Control
WIN CE Based Scanner
WLAN Client Sec Center
VPN Client IP
AP
IPS
c
Se
Backbone
ec
Bldg1
IP
WEP
Bldg3
MS-DOS Based Scanner
Bldg2 WLAN Client
Hardware No VPN Client
Laptop
VPN Client
WLAN Client
VPN Client
AP AP
WEP
WEP
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25
802.11i with AES Design
802.11i w/AES
IPS
Enclave Protection from other Base Traffic
ec
Tun
AP
nel
ITN
EUB
802.11i - AES
Wireless VLAN back to
Security enclave
Laptop
EUB
WLAN Client EUB
MS-DOS Based Scanner
WLAN Client
802.11i - AES AP AP
802.11i - AES
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26
Different Users, Different Access –
Common WLAN
Guest or Contractor
AP Authentication
– Rogue Access Point Detection Wired Network
Per-packet hashing
– Change WEP key per packet
Broadcast key rotation
– Change WEP Key for broadcast
and multicast
Publicly Secure Packet
Forwarding (PSPF)
– Prevent client to client PSPF
communication in a WLAN
WLAN Corporate
Unique IP address range 10.0.0.0 168.94.0.0
Routes
(ie 10.0.0.0) WLAN VPN
168.94.100.0
Not routed outside WLAN
perimeter
Only devices on network
are APs WLAN
10.0.0.0
IPS
• After VPN
ec
Authentication
Client assigned valid IP
address (in IPSec tunnel) WLAN IP 10.1.1.1
VPN IP 168.94.100.1
Special IP range just for
WLAN users (ie
168.94.100.0/24)
AP
WEP
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 38
Initial IEEE 802.11 Security – Data Privacy
How 802.11 WEP Encryption Works
24 bits
Seed RC4
40 or 104 bits
WEP
WEP Key Encrypted
Payload
CRC-32 And
ICV
CRC-32
Frame Payload
ICV
IV PACKET KEY
• Hardening WEP
Temporal Key Integrity Protocol (TKIP)
RC4 STREAM CIPHER
- Stronger keys, reduce IV attack,
rotation of keys
Message Integrity Check (MIC)
WEP Frame - No MIC
DA SA IV Data ICV
-Prevent Replay attack,
authenticity of frame
MIC WEP Encrypted
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. WEP Encrypted 40