3
18 Network Security October 2007 Converging wired and wireless authentication Thankfully, our ability to architect and manage secure wireless networks has improved over the last several years. In the past, wireless networks were a com- pletely separate entity from their wired counterparts and had high costs associ- ated with them. But due to changes in technology, changes in wired networks, and even changes in laws and regula- tions, wired and wireless networks are beginning to converge. The first major aspect of convergence is authentication; bringing users and devices onto the net- work in a secure and consistent fashion. History of wireless authentication Wireless LANs took the world by storm around 2001. At the time, user demand for wireless networking far outstripped the sophistication of the security protocols. Bruce Potter, founder, The Shmoo Group Look at any network diagram in any large enterprise, and you will see two very different types of networks; wired and wireless. Wired networks are depicted as an array of boxes and lines, connecting through routers and switches in a manner that we have become accustomed to over the last several decades. Wireless networks, on the other hand, are usually just clouds, a testament to the unstructured nature of wireless LANs and our ability to architect them. Wireless networks are often sur- rounded by numerous security mechanisms such as attack sensors, authentication servers, and VPN gateways. A wireless network often looks like a wart on a network diagram, waiting for someone to remove it when the users aren’t looking. AUTHENTICATION Bruce Potter business function. In this case, scan the machine and try and determine where it is vulnerable – this will help you under- stand how it was infected. Recovery Once it is established that the network is under attack, the clean up must start while damage limitation exercises are rolled out. It is essential to prevent further machines from becoming infected. But it is also essential to prevent the business damage, and this boils down to protecting informa- tion. Is any information being modified or stolen? The reverse IDS on the network perimeter can now be updated with signa- tures developed from the protocol analysis of traffic captured by the sink hole and the results of analysis of the malware within the quarantine network. If outbound mali- cious traffic is detected, don’t simply block the sender. Collect the traffic for further investigation and to be used as evidence. Prevention It is essential that you don’t end suffering from the same attack twice. By building up a full understanding of the attack and subsequent infections, you can put in place preventative measures to stop it happen- ing again. Use the quarantine network to devise suitable measures. These can include network ACL filtering, internal IDS, rate limiting, anti-virus signatures, rootkit detectors, and patches. Organisations exist that can help you analyse the attack. They can also help you to devise suitable preventative measures. Building up a full understanding of the nature of the infection is essential. You should work to understand the initial implementation and exploitation tech- niques, hiding techniques, communica- tions protocols, and the techniques used to scan the network and infect further machines. Throughout the response, signatures will have been developed for the reverse IDS and for use within the core of the network on the sink hole. Keep these signatures in place – they may help in detecting the next attack. Conclusion This article has attempted to bring togeth- er a lot of material to discuss the results of a client-side exploit, and combine it with some advice on creating a more secure net- work. These attacks are not going to disap- pear, and attackers will always be creating new methods of subverting the defences put in place. It is therefore essential not only to create a secure network, but also to create an effective process for dealing with the unexpected when it occurs. About the author Paul Midian is a principal consultant with Siemens Insight Consulting and is responsible for the security testing service line. In a previ- ous role he has dealt with networks at risk and has witnessed the disruption and effort required to clean up. Having been involved in network security for over ten years he has seen the threat to critical information increase as more services are interconnected. He believes that the biggest cause of network insecurity is human fallability. Resources 1 Extrusion Detection, Richard Bejtlich, Addison-Wesley Professional, 2005 2 Rootkits: Subverting the Windows Kernel, Greg Hoglund and James Butler, Addison-Wesley Professional, 2005

Converging wired and wireless authentication

Embed Size (px)

Citation preview

Page 1: Converging wired and wireless authentication

18Network Security October 2007

Converging wired and wireless authentication

Thankfully, our ability to architect and manage secure wireless networks has improved over the last several years. In the past, wireless networks were a com-pletely separate entity from their wired counterparts and had high costs associ-ated with them. But due to changes in

technology, changes in wired networks, and even changes in laws and regula-tions, wired and wireless networks are beginning to converge. The first major aspect of convergence is authentication; bringing users and devices onto the net-work in a secure and consistent fashion.

History of wireless authenticationWireless LANs took the world by storm around 2001. At the time, user demand for wireless networking far outstripped the sophistication of the security protocols.

Bruce Potter, founder, The Shmoo Group

Look at any network diagram in any large enterprise, and you will see two very different types of networks; wired and wireless. Wired networks are depicted as an array of boxes and lines, connecting through routers and switches in a manner that we have become accustomed to over the last several decades. Wireless networks, on the other hand, are usually just clouds, a testament to the unstructured nature of wireless LANs and our ability to architect them. Wireless networks are often sur-rounded by numerous security mechanisms such as attack sensors, authentication servers, and VPN gateways. A wireless network often looks like a wart on a network diagram, waiting for someone to remove it when the users aren’t looking.

AUTHENTICATION

Bruce Potter

business function. In this case, scan the machine and try and determine where it is vulnerable – this will help you under-stand how it was infected.

RecoveryOnce it is established that the network is under attack, the clean up must start while damage limitation exercises are rolled out. It is essential to prevent further machines from becoming infected. But it is also essential to prevent the business damage, and this boils down to protecting informa-tion. Is any information being modified or stolen? The reverse IDS on the network perimeter can now be updated with signa-tures developed from the protocol analysis of traffic captured by the sink hole and the results of analysis of the malware within the quarantine network. If outbound mali-cious traffic is detected, don’t simply block the sender. Collect the traffic for further investigation and to be used as evidence.

PreventionIt is essential that you don’t end suffering from the same attack twice. By building up a full understanding of the attack and

subsequent infections, you can put in place preventative measures to stop it happen-ing again. Use the quarantine network to devise suitable measures. These can include network ACL filtering, internal IDS, rate limiting, anti-virus signatures, rootkit detectors, and patches.

Organisations exist that can help you analyse the attack. They can also help you to devise suitable preventative measures. Building up a full understanding of the nature of the infection is essential. You should work to understand the initial implementation and exploitation tech-niques, hiding techniques, communica-tions protocols, and the techniques used to scan the network and infect further machines.

Throughout the response, signatures will have been developed for the reverse IDS and for use within the core of the network on the sink hole. Keep these signatures in place – they may help in detecting the next attack.

ConclusionThis article has attempted to bring togeth-er a lot of material to discuss the results of a client-side exploit, and combine it with

some advice on creating a more secure net-work. These attacks are not going to disap-pear, and attackers will always be creating new methods of subverting the defences put in place. It is therefore essential not only to create a secure network, but also to create an effective process for dealing with the unexpected when it occurs.

About the authorPaul Midian is a principal consultant with Siemens Insight Consulting and is responsible for the security testing service line. In a previ-ous role he has dealt with networks at risk and has witnessed the disruption and effort required to clean up. Having been involved in network security for over ten years he has seen the threat to critical information increase as more services are interconnected. He believes that the biggest cause of network insecurity is human fallability.

Resources1 Extrusion Detection, Richard Bejtlich,

Addison-Wesley Professional, 20052 Rootkits: Subverting the Windows

Kernel, Greg Hoglund and James Butler, Addison-Wesley Professional, 2005

Page 2: Converging wired and wireless authentication

October 2007 Network Security19

The basic 802.11 security mechanism, WEP, did not stand up to even a casual attack. The encryption mechanism used in WEP provided minimal confidentiality, and the authentication mechanism used was easily bypassed. On top of that, the authentication mechanism in WEP was based on pre-shared keys with a rudimen-tary key rotation scheme. WEP-based authentication was not scalable in even small enterprises, let alone in large, multi-national organisations.

“Due to changes in technology, changes in wired networks, and even changes in laws and regulations, wired and wireless networks are beginning to converge”

In the face of the lack of a usable authentication mechanism, many new forms of wireless authentication were devised. Using IPSec VPNs became a popular means for controlling access to wireless networks. The wireless net-work is completely open at layer two. The layer three gateway, a VPN device, forces users to authenticate before building an IPSec tunnel and allow-ing outbound traffic from the wireless to the wired network. While effective at controlling access, this model is architecturally difficult to integrate and still leaves space for some layer two attacks against the client devices. Other authentication mechanisms, such as captive web portals, work in niche environments but are not suited for general-purpose use.

The standards bodies addressed the security issues with the original 802.11 spec through the creation of 802.11i. 802.11i uses 802.1x authentication for network access. 802.1x has an extensible authentication and authorisation model that allows for arbitrary authentication methods to be used including passwords,

one-time passwords, and certificate-based authentication.

802.1x has become nearly ubiquitous in the last several years thanks to default support in Windows XP, Vista, Mac OS X, and Linux. Almost every major piece of wireless networking gear, from con-sumer grade to enterprise capable, has integrated 802.1x support. While there are other authentication methods availa-ble, 802.11i with 802.1x has emerged as the standard for wireless authentication.

History of wired authenticationFor decades, the term ‘wired authen-tication’ has made virtually no sense. The pinnacle of wired authentication was making sure you had a cable long enough to reach between your computer and the wall jack. The security of a wired network was dictated by the physical security protecting access to the infra-structure. With strong physical security, attackers wouldn’t be able to plug in and therefore your network would be protected. With weak physical security, an attacker could at least connect to the network and obtain layer two access. If the attacker had any skills, and had access to a port inside the firewall, they generally had full network access.

Times change, however, and wired authentication has started to come into vogue. There are a variety of drivers to allow only authorised users access to a wired network. Systems have become very complex and the firewall/network security model we have used for the last decade is not able to effectively protect applications. To stay secure, IT security architects are pushing security all the way to the physical boundary. Some networks now require authentica-tion to be performed at the link layer as soon as a cable is plugged in. Without network-based authentication, the port the attacker is plugged into is useless and

therefore cannot be leveraged to launch internal attacks.

Worms, viruses, and other malware have also increased dramatically over the last decade. Many enterprises have been hit by at least one catastrophic virus outbreak that has caused a massive loss of productivity and cash. Even with the best antivirus protection that money can buy, some end systems will have the AV software disabled, be missing a patch, or have some other critical problem that leads to a virus infestation.

Network authentication provides a spigot to control what devices connect to the network, and if the devices have a security configuration in accordance with an organisation’s policy. The idea of quarantining a device to determine patch level and security posture before it is admitted on the network is being pitched hand in hand with network authentication. Microsoft, Cisco, and many smaller companies have network access and quarantine solutions that are deployable today.

Finally, there are now regulations being implemented aimed at raising the bar for information security within the enterprise. Information security, or the lack thereof, has created problems for consumers and investors; federal govern-ments are getting involved to help fix the problem. Protecting personal identifying information (PII) and the assets that access PII has become a big problem for business. A company must be able to demonstrate they are attempting to pro-tect access to PII or else they may face civil or criminal penalties in the event of a security failure. Network authentica-tion and access control are becoming key parts of protecting sensitive information on corporate networks.

There are two competing technologies aimed at controlling network access. The first is the same 802.1x authentication mechanism that is already being used on wireless networks. 802.1x is a natural fit

AUTHENTICATION

Page 3: Converging wired and wireless authentication

20Network Security October 2007

AUTHENTICATION

for network vendors since 802.1x is a layer two access control mechanism. Switches that natively understand 802.1x authenti-cation can be very effective at keeping out unauthorised users and stopping attacks before they can even get started.

“A dedicated attacker will be able to sniff other traffic on the network to determine the proper addressing and should be able to easily bypass NAP’s DHCP-based access mechanisms”

The other mechanism for controlling network access is the Microsoft Network Access Protection (NAP) capability. NAP, unlike 802.1x, is not geared at the networking equipment directly but rather at the supporting infrastructure. NAP controls access by controlling other aspects of the network such as prevent-ing unauthorised users from obtaining a valid address via DHCP. NAP also leverages XP and Vista’s built in capabili-ties in order to determine the health and security of the system prior to grant-ing access. Unfortunately, a dedicated attacker will be able to sniff other traffic on the network to determine the proper addressing and should be able to eas-ily bypass NAP’s DHCP-based access mechanisms. The NAP solution is effec-tive at keeping the good actors honest but is not as robust at keeping dedicated attackers off the network.

Bringing it all togetherWhat were historically two discrete aspects of an enterprise’s network, wired and wireless, have reached a point where both have a common authentication solution. It is interesting that the reason wireless networks have reached a point where 802.1x makes sense is totally dif-ferent than why wired users will use 802.1x. Wireless networks are natively physically unconstrained and therefore need strong authentication regardless of the specific assets being protected or the underlying legal constructs. Wired net-works have become complicated enough over the last few years that network access control suddenly makes sense.

Enterprises are now at a point where a leap forward can be made with respect to the economics and effectiveness of network-based authentication. While it is entirely possible to use proprietary wireless authentication and a non-inter-operable wired network access control mechanism, there is no real need to. From a security and scalability perspective, 802.1x solutions provide a real economy of scale while meeting most organisa-tions’ security needs. The same factors for authentication can be used on both networks without any increased user education or burden. There is an obvi-ous difference between wired and wireless when it comes to the need for confiden-tiality. Wireless networks still need to use some form of encryption for ensuring the confidentiality of the network transmis-sions. However, this is a separate need and is easily addressed through the use of standards such as 802.11i.

Parting shotsWireless networks are relative newcomers to the networking world. However, in the short time wireless LANs have had wide acceptance, they have pushed the boundaries for authentication, authori-sation, and confidentiality of large deployment networks. Through a series of technological and legal steps, wired networks are starting to bump up against the same problems that wireless net-works have. While wired confidentiality is not an issue (yet), wired and wireless authentication is a big problem within many enterprises. With the advent of 802.1x and the authentication mecha-nisms therein, enterprises can unify what would otherwise be two disparate and individually expensive systems into one, unified authentication model.

About the authorBruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise the yearly ShmooCon security conference held each win-ter in Washington DC. Mr. Potter, a senior associate at Booz Allen Hamilton, specialises in wireless security, IT security operations, and advanced network defence techniques.

16-19 October 2007Third Workshop on Secure Network ProtocolsLocation: Beijing, ChinaWebsite: http:// homes.cerias.purdue.edu/~crisn/npsec2007/cfp.html

23-24 October 2007Black Hat JapanLocation: Tokyo, JapanWebsite: www.blackhat.com/html/ bh-japan-07/bh-jp-07-en-index.html

29 October 2007Workshop on Privacy in the Electronic SocietyLocation: Alexandria, VA, USAWebsite: www.csc2.ncsu.edu/workshops/wpes07/

29-31 October 2007International Workshop on SecurityLocation: Nara, JapanWebsite: www.iwsec.org

30-31 October 2007Mobile Security ConferenceLocation: Boston, MA, USAWebsite: www.pulver.com/ mobileSecurity/2007/boston/web/

31 October – 2 November 2007International Conference on Provable SecurityLocation: Wollongong, AustraliaWebsite: www.informatics.uow.edu.au/provsec07/

3-9 November 2007CSI 2007Location: Arlington, VA, ISAWebsite: www.csiannual.com

20-21 November 2007Illuminating the Black Art of SecurityLocation: Toronto, Ontario, CanadaWebsite: www.sector.ca

EVENTS CALENDAR


Converging First Amendment Principles for Converging

Converging First Amendment Principles for Converging

Documents
Converging to Convergence

Converging to Convergence

Documents
Converging technologies 1_01

Converging technologies 1_01

Technology
Wired LAN Connection with IEEE802 · 2009. 10. 28. · 1 . Wired LAN Connection with IEEE802.1x Authentication . for Windows 7 (any version) 1. Go to Control Panel and double-click

Wired LAN Connection with IEEE802 · 2009. 10. 28. · 1 . Wired LAN Connection with IEEE802.1x Authentication . for Windows 7 (any version) 1. Go to Control Panel and double-click

Documents
NTL – Converging Constraints

NTL – Converging Constraints

Documents
Converging mirrors

Converging mirrors

Documents
Derivatives – Converging/Diverging

Derivatives – Converging/Diverging

Economy & Finance
Video Games, Gambling and Addiction: Converging Business Models, Converging Problems

Video Games, Gambling and Addiction: Converging Business Models, Converging Problems

Documents
Converging Technologies

Converging Technologies

Documents
Converging Digital Technology

Converging Digital Technology

Education
Converging Bloomfield

Converging Bloomfield

Documents
Converging Systems

Converging Systems

Documents
Converging Nations

Converging Nations

Documents
Thin Converging Lenses

Thin Converging Lenses

Documents
Concave (converging) Mirrors

Concave (converging) Mirrors

Documents
Converging Lens

Converging Lens

Documents
Configuring Wired 802.1x Authentication on Windows Server 2012

Configuring Wired 802.1x Authentication on Windows Server 2012

Documents
Paola Mazzucchi, AIE and mEDRA Project Manager, Converging metadata for converging media @ Converging Media 2014

Paola Mazzucchi, AIE and mEDRA Project Manager, Converging metadata for converging media @ Converging Media 2014

Technology
Converging Insecurities

Converging Insecurities

Education
Management Authentication using Windows IAS as a …community.arubanetworks.com/aruba/attachments/aruba/unified-wired... · Management Authentication using Windows IAS as a Radius

Management Authentication using Windows IAS as a …community.arubanetworks.com/aruba/attachments/aruba/unified-wired... · Management Authentication using Windows IAS as a Radius

Documents
Configuring Wired 802.1x Authentication on Windows Server 2012accessdenied.be/blog/documentation/Configuring Wired 8021x... · Active Directory Certificate Services for certificate

Configuring Wired 802.1x Authentication on Windows Server 2012accessdenied.be/blog/documentation/Configuring Wired 8021x... · Active Directory Certificate Services for certificate

Documents
802.1X AUTHENTICATION AND AUTHORIZATION IN WIRED … · This thesis is aimed to design a port-based authentication and authorization in ... HP ProCurve 2910a1-24G and HP ProCurve

802.1X AUTHENTICATION AND AUTHORIZATION IN WIRED … · This thesis is aimed to design a port-based authentication and authorization in ... HP ProCurve 2910a1-24G and HP ProCurve

Documents
Converging crises, converging solutions

Converging crises, converging solutions

Documents
Converging miinds

Converging miinds

Economy & Finance
Observations are converging…

Observations are converging…

Documents
Converging communications default

Converging communications default

Documents
Converging Worlds

Converging Worlds

Technology
Evaluation of EAP Authentication Methods in Wired and ...831569/FULLTEXT01.pdf · authentication protocol, which could provide better security and performance at any critical condition

Evaluation of EAP Authentication Methods in Wired and ...831569/FULLTEXT01.pdf · authentication protocol, which could provide better security and performance at any critical condition

Documents
802.1x Wired Authentication - University of Miami · University of Miami Information Technology 802.1x wired authentication setup Page 1 802.1x wired configuration What? In the instance

802.1x Wired Authentication - University of Miami · University of Miami Information Technology 802.1x wired authentication setup Page 1 802.1x wired configuration What? In the instance

Documents
Converging lenses

Converging lenses

Documents