CiscoSAFE:WirelessLANSecurityinDepth资源-CSDN文库

需积分: 10 132 浏览量 2009-12-27 23:54:59 上传评论收藏 1.6MB PDF 举报

资源推荐

资源详情

资源评论

Cisco Systems, Inc.

Page 1 of 75

White Paper

Cisco SAFE: Wireless LAN Security in Depth

Authors

Sean Convery (CCIE #4232), Darrin Miller (CCIE #6447), and Sri Sundaralingam are

the primary authors of this white paper. Mark Doering, Pej Roshan, Stacey Albert,

Bruce McMurdo, and Jason Halpern provided signiﬁcant contributions to this paper

and are the lead architects of Cisco’s reference implementation in San Jose,

California, USA. All are network architects who focus on wireless LAN, VPN, or

security issues.

Abstract

This paper provides best-practice

information to interested parties for

designing and implementing wireless LAN

(WLAN) security in networks utilizing

elements of the Cisco SAFE Blueprint for

networksecurity.AllSAFEwhitepapersare

available at the SAFE Web site:

http://www.cisco.com/go/safe

These documents were written to provide

best-practice information on network

securityand virtual-private-network(VPN)

designs. Although you can read this

document without having read either of the

twoprimarysecuritydesigndocuments,itis

recommended that you read either “SAFE

Enterprise” or “SAFE Small, Midsize and

Remote-User Networks” before

continuing.

This paper frames the WLAN

implementation within the context of the

overall security design. SAFE represents a

system-based approach to security and

VPN design. This type of approach focuses

on overall design goals and translates those

goals into speciﬁc conﬁgurations and

topologies. In thecontext of wireless, Cisco

recommends that you also consider

network design elements such as mobility

and quality of service (QoS) when deciding

on an overall WLAN design. SAFE is based

on Cisco products and those of its partners.

This document begins with an overview of

the architecture, and then details the

speciﬁc designs under consideration.

Becausethisdocumentrevolvesaround two

principal design variations, these designs

are described ﬁrst in a generic sense, and

then are applied to SAFE. The following

designs are covered in detail:

• Large-network WLAN design

• Medium-network WLAN design

• Small-network WLAN design

• Remote-user WLAN design

Each design may have multiple modules

that address different aspects of WLAN

technology. The concept of modules is

addressed in the SAFE security white

papers.

Following the discussion of the speciﬁc

designs, Appendix A details the validation

lab for SAFE wireless and includes

conﬁguration snapshots. Appendix B is a

primer on WLAN. If you are unfamiliar

with basic WLAN concepts, you should

read this section before the rest of the

Cisco Systems, Inc.

Page 2 of 75

document. Appendix C provides more details on rogue access point detection and prevention techniques. Finally,

Appendix D discusses high availability design criteria for services such as RADIUS and DHCP in order to secure

WLANs.

Audience

Though this document is technical in nature, it can be read at different levels of detail, depending on your level of

interest. A network manager, for example, can read theintroductory sectionsin each area to obtain a good overview

of security design strategies and consideration for WLAN networks. A network engineer or designer can read this

document in its entirety and gain design information and threat analysis details, which are supported by actual

conﬁguration snapshots for thedevices involved. Becausethis document covers a widerange of WLAN deployments,

it may be helpful to read the introductory sections of the paper ﬁrst and then skip right to the type of WLAN you

are interested in deploying.

Caveats

This document presumes that you already have a security policy in place. Cisco Systems does not recommend

deploying WLANs—or any networking technology—without an associated security policy. Although network

securityfundamentals arementioned in thisdocument, theyarenot describedin detail.Securitywithin thisdocument

is always mentioned as it pertains to WLANs.

Even thoughWLANs introduce security risks, manyorganizations choose to deploy WLANs because they bring user

productivity gains and simplify deployment of small networks. Following the guidelines in this document does not

guarantee a secure WLAN environment, nor does it guarantee that you will prevent all penetrations. By following

the guidelines, you will mitigate WLAN security risks as much as possible.

Though this document contains a large amount of detail on most aspects of wireless security, the discussion is not

exhaustive. In particular, the document does not address wireless bridges, personal digital assistants (PDAs), or

non-802.11-based WLAN technology. In addition, it does not provide speciﬁc best practices on general WLAN

deployment and design issues that are not security related.

During the validation of SAFE, real products were conﬁgured in the exact network implementation described in this

document. Speciﬁc conﬁguration snapshots from the lab are included in Appendix A, “Validation Lab.”

Throughout this document the term “hacker” denotes an individual who attempts to gain unauthorized access to

network resources with malicious intent. Although the term “cracker” is generally regarded as the more accurate

word for this type of individual, hacker is used here for readability.

Architecture Overview

Design Fundamentals

Cisco SAFEwireless emulates as closely as possible thefunctional requirements of today’s networks.Implementation

decisions varied, depending on the network functionality required. However, the following design objectives, listed

in order of priority, guided the decision-making process:

• Security and attack mitigation based on policy

• Authentication and authorization of users to wired network resources

Cisco Systems, Inc.

Page 3 of 75

• Wireless data conﬁdentiality

• User differentiation

• Access point management

• Authentication of users to network resources

• Options for high availability (large enterprise only)

First and foremost, SAFE wireless needs to provide a secure WLAN connectivity option to enterprise networks. As

a connectivity option, WLAN access must adhere to an organization’s security policy as closely as possible. In

addition, it must provide this access as securely as possible while recognizing the need to maintain as many of the

characteristics of a traditional wired LAN as possible. Finally, WLANs must integrate with existing network designs

based on the SAFE security architecture.

SAFE WLAN Axioms

Wireless Networks Are Targets

Wireless networks have become one of the most interesting targets for hackers today. Organizations today are

deploying wireless technology at a rapid rate, often without considering all security aspects. This rapid deployment

is due, in part, to the low cost of the devices, ease of deployment, and the large productivity gains. Because WLAN

devices ship with all security features disabled, increasing WLAN deployments have attracted the attention of the

hacker community. Several Web sites document freely available wireless connections throughout the United States.

Although most hackers are using these connections as a means to get free Internet access or to hide their identity, a

smaller group sees this situation as an opportunity to break into networks that otherwise might have been difﬁcult

to attack from the Internet. Unlike a wired network, a WLAN sends data over the air and may be accessible outside

the physical boundary of an organization. When WLAN data is not encrypted, the packets can be viewed by anyone

within radio frequency range. For example, a person with a Linux laptop, a WLAN adapter, and a program such as

TCPDUMP can receive, view, and store all packets circulating on a given WLAN.

Interference and Jamming

It is also easy to interfere with wireless communications. A simple jamming transmitter can make communications

impossible.For example,consistentlyhammering anaccesspoint withaccessrequests, whethersuccessful or not,will

eventually exhaust its available radio frequency spectrumand knock it off thenetwork. Other wireless services inthe

same frequency range as a WLAN can reduce the range and usable bandwidth of the WLAN. “Bluetooth”

technology, used to communicate between handsets and other information appliances, is one of many technologies

today that use the same 2.4-GHz radio frequency as WLAN devices and can interfere with WLAN transmissions.

MAC Authentication

WLAN access points can identify every wireless card ever manufactured by its unique Media Access Control (MAC)

address that is burned into and printed on the card. Some WLANs require that the cards be registered before the

wirelessservices canbeused. Theaccesspoint thenidentiﬁesthe cardbythe user,but thisscenariois complexbecause

every access point needs to have access to this list. Even if it were implemented, it cannot account for hackers who

use WLAN cards that can be loaded with ﬁrmware that does not use the built-in MAC address, but a randomly

chosen, or deliberately spoofed, address. Using this spoofed address, a hacker can attempt to inject network trafﬁc

or spoof legitimate users.

Cisco Systems, Inc.

Page 4 of 75

Ad Hoc Versus Infrastructure Modes

Most WLANs deployed by organizations operate in a mode called “infrastructure.” In this mode, all wireless clients

connect through an access point for all communications. You can, however, deploy WLAN technology in a way that

forms anindependent peer-to-peernetwork, which is more commonly called anad hoc WLAN. Inan ad hoc WLAN,

laptopor desktopcomputersthat are equippedwith compatible WLANadapters andarewithin range ofone another

can share ﬁles directly, without the use of an access point. The range varies, depending on the type ofWLAN system.

Laptop and desktop computers equipped with 802.11b or 802.11a WLAN cards can create ad hoc networks if they

are within at least 500 feet of one another.

The security impact of ad hoc WLANs is signiﬁcant. Many wireless cards, including some shipped as a default item

by PC manufacturers, supportad hoc mode.When adapters usead hoc mode,any hacker with an adapter conﬁgured

for ad hoc mode and using the same settings as the other adapters may gain unauthorized access to clients.

Denial or Degradation of Service

802.11 management messages including the beacon, probe request or response, association request or response,

re-association request or response, disassociation, and de-authentication are not authenticated. Without

authenticating these management messages, denial-of-service (DoS) attacks are possible. An example of this type of

DoS attack has been demonstrated with open source tools such as wlan-jack.

Wireless Networks Are Weapons

Arogue access pointisone thatisaccessible to anorganization’s employeesbutis not managedasa partofthe trusted

network. Most rogue access points are installed by employees for which IT is not providing WLAN access. A typical

rogue access point, then, is an inexpensive one that an employee purchases and installs by plugging it into an

available switch port, often with no security measures enabled. A hacker, even one outside the physical boundaries

of an organization’s facilities,can gain accessto thetrusted networksimply byassociating witha rogueaccess point.

Another type of rogue access point is one that masquerades as a trusted access point and tricks WLAN users into

associating with it, thereby enabling a hacker to manipulate wireless frames as they cross the access point.

The threat posed by rogue access points can be mitigated by preventing their deployment and detecting those rogue

accesspoints thataredeployed. Thefollowingcomponents arerequired inorderto mitigatethethreat ofrogue access

points. A detailed discussion of these points can be found in Appendix C, “Rogue Access Point Additional

Information.”

Prevention

• Corporate policy

• Physical security

• Supported WLAN infrastructure

• 802.1X port-based security on edge switches

Detection

• Using wireless analyzers or sniffers

• Using scripted tools on the wired infrastructure

• Physically observing WLAN access point placement and usage

Cisco Systems, Inc.

Page 5 of 75

802.11 Is Insecure

As discussed in the primer (Appendix B), 802.11b and 802.11a are the most widely deployed WLAN technologies

today. Traditional 802.11 WLAN security includes the use of open or shared-key authentication and static wired

equivalent privacy (WEP) keys. This combination offers a rudimentary level of access control and privacy, but each

element can be compromised. The following sections describe these elements and the challenges of their use in

enterprise environments.

Authentication

The 802.11 standard supports two means of client authentication: open and shared-key authentication. Open

authentication involves little more than supplying the correct service set ID (SSID). Withopen authentication,the use

of WEP prevents the client from sending data to and receiving data from the access point, unless the client has the

correct WEPkey. Withshared-key authentication, theaccess point sends the client device achallenge text packet that

the client must then encrypt with the correct WEP key and return to the access point. If the client has the wrong key

or no key, authentication will fail and the client will not be allowed to associate with the access point. Shared-key

authentication is not considered secure because a hacker who detects both the clear text challenge and the same

challenge encrypted with a WEP key can decipher the WEP key.

Key Management

Another type of key that is often used—but is not considered secure—is a “static” WEP key. A static WEP key is a

key composed of either 40 or 128 bits that is statically deﬁned by the network administrator on the access point and

all clients that communicate with the access point. When static WEP keys are used, a network administrator must

perform the time-consuming task of entering the same keys on every device in the WLAN.

If a device that uses static WEP keys is lost or stolen, the possessor of the stolen device can access the WLAN. An

administrator will not be able to detectthat an unauthorized user has inﬁltrated the WLAN until and unless the theft

is reported.The administrator must thenchange the WEP keyon every device thatuses the same static WEP key used

by the missing device. In a large enterprise WLAN with hundreds or even thousands of users, this can be a daunting

task. Worse still, if a static WEP key is deciphered through a tool such as AirSnort, the administrator has no way of

knowing that the key has been compromised by a hacker.

WEP

The 802.11 standards deﬁne WEP as a simple mechanism to protect the over-the-air transmission between WLAN

access points and network interface cards (NICs). Working at the data link layer, WEP requires that all

communicating parties share the same secret key. To avoid conﬂicting with U.S. export controls that were in effect

at the time the standard was developed, 40-bit encryption keys were required by IEEE 802.11b, though many

vendors now support the optional 128-bit standard. WEP can be easily cracked in both 40- and 128-bit variants by

using off-the-shelf tools readily available on the Internet. On a busy network, 128-bit static WEP keys can be

obtained in as little as 15 minutes, according to current estimates. These attacks are described in more detail in the

following paragraphs.

剩余74页未读，继续阅读

评论收藏

内容反馈

aaf812000

粉丝: 39
资源: 222

Cisco SAFE: Wireless LAN Security in Depth

Cisco Wireless LAN Security

Cisco.Wireless.Lan.Security

Cisco Wireless LAN Controller Configuration Guide, Release 7.6

Cisco Wireless LAN Controller Configuration Guide, Release 4.0.pdf

Cisco Press：Cisco Wireless LAN Security.pdf

Cisco Press:LAN Switch Security- What Hackers Know About Your Switches.pdf

Cisco Press: Cisco LAN Switching Fundamentals.chm

ap3g2-rcvk9w8-tar.153-3.JH1.tar

Cisco.Press.802.11.Wireless.LAN.Fundamentals.eBook-LiB.chm

Cisco.Press.802.11.Wireless.LAN.Fundamentals.eBook-kB.pdf

Cisco.Press.Deploying.and.Troubleshooting.Cisco.Wireless.LAN.Controllers.

Networkers2009：BRKCAM-2002 - Integrated Security for Wireless LAN and Guest Access

802.11.Wireless.LAN.Fundamentals.Cisco.Press.eBook

CiscoWorks Wireless LAN Solution Engine（WLSE）白皮书（英文）

CiscoWorks Wireless LAN Solution Engine（WLSE）Express产品手册（英文）

Building a Cisco Wireless LAN(syngress安全图书)

Cisco Press：Designing Network Security Second Edition.chm

[Cisco.Press].The.Wireless.LAN.Book.for.Enterprises

Cisco.Press.LAN.Switch.Security.Sep.2007.pdf

Wireless 802.11 LAN Security_ Understanding the Key Issues.rar

Cisco.Press.LAN.Switch.Security.Sep.2007

Cisco Press LAN Switch Security 英文版

Cisco Press：Deploying Voice over Wireless LANs.chm

Cisco Press：End-to-End Network Security-Defense-in-Depth.pdf

Wireless_LAN

Cisco Press：Cisco Security Architectures.pdf

CCNA_08_Wireless LAN Security

最新资源