SAFE Wireless LAN Security in Depth презентация

Содержание

Wireless LAN Security Concepts © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.1—14-

Слайд 1
Lesson 14
SAFE Wireless LAN Security in Depth
© 2005 Cisco Systems, Inc.

All rights reserved.

CSI v2.1—14-

Слайд 2
Wireless LAN Security Concepts
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 3The Need for Wireless
Standard 802.11-based WLANs provide mobility to network users

while maintaining the requisite connectivity to corporate resources.



Слайд 4Types of Wireless Technology
Functional view:
Peer-to-peer WLANs
Multiple-cell WLANs
Building-to-building wireless networks
Technology view:
802.11
HiperLAN
HomeRF SWAP
Bluetooth

Слайд 5802.11 Wireless Technology
Wi-Fi Alliance provides a branding for 802.11-based technology.
Standard 802.11-based

wireless technologies take advantage of the radio spectrum that is deemed usable for the public.
The 802.11 standard specifically takes advantage of two frequency bands:
2.4-to-2.4835-GHz UHF band used for 802.11 and 802.11b networks
5.15-to-5.825-GHz SHF band used for 802.11a-based networks

Слайд 6WLAN Radio Frequency Methods
The 802.11 standard specifies two different types of

Layer 1 physical interfaces for radio-based devices:



Frequency

Power

Time

Power

2.4 GHz to 2.483 GHz




Direct Sequencing

Frequency-Hopping

Frequency

2.4 GHz to 2.483 GHz

Time

Channel Not in Use

Слайд 7

Wireless Security
As standardized by the IEEE, security for 802.11 networks can

be simplified into two main components:
Frame encryption
Authentication

Tunnel

Client

Access
Point

RADIUS
Server

Слайд 8WLAN Components
The following are WLAN components:
Access Point
Bridge
Antenna
Network Interface Card
(Client Adapter)

Слайд 9
SAFE Wireless LAN Caveats and Design Considerations (Axioms)
© 2005 Cisco Systems,

Inc. All rights reserved.

CSI v2.1—14-

Слайд 10Several WLAN technologies are not covered.
SAFE guidelines do not guarantee a

secure environment.

A security policy is in place.

SAFE WLAN Caveats

SAFE WLAN is based on the following caveats:

Слайд 11SAFE WLAN Design Considerations (Axioms)
SAFE WLAN is based on the following

design considerations:
Wireless networks are targets.
Wireless networks are weapons.


Слайд 12
SAFE WLAN Design Considerations (Axioms) (Cont.)
Traditional 802.11 WLAN security elements are:
Authentication
Key

management
WEP

802.11 is insecure

Слайд 13
Wireless LAN Security Extensions
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 14

WLAN Networks Are Targets: Security Extensions Are Required
The IEEE 802.11 task

group is standardizing the following technologies for WLAN authentication and encryption improvements:

IPSec

802.1x EAP

Слайд 15
EAP Authentication Process
Wireless Computer
with EAP Supplicant
Wireless Computer
with EAP Supplicant
Access Point
with EAP/802.1X


Support

Access Point
with EAP/802.1X
Support

Access Switch

Access switch

RADIUS Server

To User
Database

RADIUS Server with EAP
Support and Dynamic WEP Key Generation

1 Client associates
with access point

2 Access point blocks all user requests to access LAN

8 Access point delivers broadcast WEP key encrypted with unicast WEP key to client

7 RADIUS server delivers unicast WEP key to access point

6 RADIUS server and client derive unicast WEP key

5 User authenticates RADIUS server

4 RADIUS server authenticates user

3 User provides login
authentication
credentials

9 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission











Campus Network


Campus Network


To User
Database

Слайд 16EAP Benefits
EAP provides three significant benefits over basic 802.11 security:
Mutual authentication

scheme
Centralized management and distribution of encryption keys
Centralized policy control

Слайд 17EAPs
Current EAP types include:
Cisco LEAP
EAP-TLS
PEAP
EAP-TTLS
EAP-SIM

Слайд 18LEAP Authentication Process
Wireless Computer
with LEAP Supplicant
Wireless Computer
with LEAP
Supplicant
Access Point with


Cisco LEAP Support

Access Point
with Cisco LEAP
Support

Access Switch

Access Switch

RADIUS Server

RADIUS Server with LEAP
Support and Dynamic WEP Key Generation

1 Client associates
with access point

2 Access point blocks all user requests to access LAN

8 Access point delivers broadcast WEP key encrypted with unicast WEP key to client

7 RADIUS server
delivers unicast WEP key to access point

6 RADIUS server and client derive unicast WEP key

5 User authenticates RADIUS server

4 RADIUS server authenticates user

3 User provides login
authentication
credentials

9 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission











To User
Database


Campus Network


Campus Network


To User
Database

Слайд 19EAP-TLS Authentication Process
Wireless Computer
with EAP-TLS Supplicant
Wireless Computer
with EAP-TLS
Supplicant
Access Point with


EAP/802.1X Support

Access Point
with EAP/802.1X
Support

Access Switch

Access Switch

RADIUS Server

RADIUS Server with EAP-TLS
Support and Dynamic WEP Key Generation

1 Client associates
with access point

2 Access point blocks all user requests to Access LAN

7 Access point delivers broadcast WEP key encrypted with unicast WEP key to client

6 RADIUS server
delivers unicast WEP key to access point

5 RADIUS server and client derive
unicast WEP key

4 RADIUS server authenticates user (via digital certificate)

3 User authenticates
RADIUS server (via
digital certificate)

8 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission










To User
Database


Campus Network


Campus Network


To User
Database

Слайд 20Wireless Computer
with PEAP Supplicant
Wireless Computer
with PEAP
Supplicant
Access Point with
PEAP Support
Access Point
with

PEAP
Support

Access Switch

Access Switch

RADIUS Server

RADIUS Server with PEAP
Support and Dynamic WEP Key Generation

1 Client associates
with access point

2 Access point blocks all user requests to access LAN

7 Access point delivers broadcast WEP key encrypted with unicast WEP key to client

6 RADIUS server
delivers unicast WEP key to access point

5 RADIUS server and client derive
unicast WEP key

4 RADIUS server authenticates user (Example: OTP authentication)

3 Client verifies
RADIUS server’s
digital certificate

8 Client and access point activate WEP and use unicast and broadcast WEP keys for transmission










To User
Database


Campus Network


Campus Network


To User
Database

PEAP Authentication Process

Слайд 21WEP Enhancements
IEEE 802.11i includes two encryption enhancements in its draft standard

for 802.11 security:
TKIP: A set of software enhancements to RC4-based WEP
AES: A stronger alternative to RC4

Слайд 22
Cisco Wireless LAN Product Portfolio
© 2005 Cisco Systems, Inc. All rights

reserved.

CSI v2.1—14-

Слайд 23Cisco Aironet WLAN Product Line
Wireless LAN Aironet access points
Cisco Aironet 1300

Series
Cisco Aironet 1230AG Series
Cisco Aironet 1200 Series
Cisco Aironet 1130AG Series
Cisco Aironet 1100 Series
Cisco Aironet 350 Series
Aironet wireless and workgroup bridges
Cisco Aironet 1400 Series
Cisco Aironet 1300 Series
Cisco Aironet 350 Series
Cisco Aironet antennas and accessories
Cisco Aironet Wireless LAN Client Adapters


Слайд 24Cisco Aironet WLAN Product Line (Cont.)
Wireless network management
Cisco Mobile Wireless Center
Cisco

Mobile Wireless Fault Mediator
CiscoWorks for Mobile Wireless
CiscoWorks Wireless LAN Solution Engine
Wireless security servers
Cisco Secure Access Control Server for Unix
Cisco Secure Access Control Server for Windows
Cisco Secure Access Control Server Solution Engine

Слайд 25Cisco Aironet WLAN Product Line (Cont.)
Wireless integrated switches and routers
Cisco 3200

Series wireless and mobile routers
Cisco Catalyst 6500 Series switches
Wireless IP telephony
Cisco 7900 Series IP phones

Cisco 3200 Series Wireless
and Mobile Router

Cisco Catalyst 6500 Series Switches

Cisco 7900 Series IP Phones


Слайд 26“Air”/RF Management
L2 mobility
L3 mobility (future)
Cisco IOS Software
CiscoWorks Management
Clients
Secure Mobility





Rogue AP/network detection
assisted site surveys
performance

optimization

Management Products





Wireless
Access
Points

AP1200

AP1100

Cisco Secure ACS, CiscoWorks LMS and WLSE

Switches and Routers

SWAN

Слайд 27 Cost-effective and scalable
Improved productivity and accuracy
Improved security and

availability


Cisco Compatible Program for WLAN Client Devices

Слайд 28
Wireless LAN Design Approach
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 29 WLAN Network Design Fundamentals
The two main WLAN network design choices

are as follows:
Implementing a dynamic WEP keying model using 802.1x EAP and TKIP
Implementing an overlay VPN network using IPSec

Слайд 30
Access Point Security
Standard WLAN Design Guidelines
All designs include the following WLAN

security principles:

Client Security

Слайд 31
Standard Wireless LAN Design
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 32Key devices are:
Wireless client adapter and software
Wireless access point
Layer 2 or

Layer 3 switch
RADIUS server
DHCP server
OTP server (optional)
PKI server (optional)

Standard EAP WLAN Design: Key Devices

DHCP/RADIUS/
OTP/PKI Servers

Access Point with
EAP and TKIP

Wireless Computer
with EAP and TKIP

Слайд 33Attack Mitigation Roles for Standard EAP WLAN Design: Threats Mitigated
DHCP/RADIUS/
OTP/PKI Servers
Access

Point with
EAP and TKIP

Wireless Computer
with EAP and TKIP


EAP authentication Dynamic WEP key generation

EAP authentication
TKIP (WEP enhancements)

Inter Subnet filtering
RFC 2827 filtering

Virus scanning
EAP authentication
TKIP (WEP enhancements)
Dynamic WEP key generation


Слайд 34EAP with TKIP Design Guidelines
Give special consideration to the location of

the RADIUS and DHCP servers to guarantee high availability.
Rekeying for both unicast and broadcast keys is recommended.
Follow EAP-specific design guidelines.

Слайд 35Key devices are:
Wireless client adapter and software
Remote-access VPN client with personal

firewall software
Wireless access point
Layer 2 switch
Layer 3 switch
RADIUS server
DHCP server
OTP server
VPN gateway

Attack Mitigation Roles for Standard VPN WLAN Design: Key Devices

DHCP/RADIUS/
OTP/PKI Servers

Access Point with
Management Interface

Wireless Computer
with VPN Client

VPN Concentrator

Слайд 36Attack Mitigation Roles for Standard VPN WLAN Design: Threats Mitigated
DHCP/RADIUS/
OTP/PKI Servers
Access

Point with
Management Interface

Wireless Computer
with VPN Client


Remote users authentication IPSec termination
DHCP relay

Packet filtering

Inter-subnet filtering
RFC 2827 filtering


VPN Concentrator

Two-factor
authentication

Possible packet filtering
(device-dependent)

Remote VPN gateway authentication
IPSec termination
Personal firewall for local attack mitigation VPN client auto-initiation

Слайд 37Standard VPN WLAN Design Guidelines
Use VPN gateway to perform authentication.
Separate WLAN

and wired traffic.
Prevent network access if RADIUS or DHCP service fails.
Implement protocol and port filtering.
Secure DNS and DHCP servers.
Implement VACLs and control ICMP.
Use auto-initiate feature of the VPN client.
Implement personal firewall and disable split tunneling.
Alternatives include:
Implementing static WEP keys
Using a layer of 802.1x EAP with the IPSec-based VPN
Using dedicated hosts for the VPN, WLAN, DHCP, and DNS

Слайд 38
Enterprise Wireless LAN Design
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 39Enterprise Network: EAP with TKIP Option
Wireless Computer
with EAP and TKIP
Wireless Computer
with

EAP and TKIP

Building Module

Building Distribution Module

Core Module

Server Module

RADIUS/OTP/PKI
Servers

DHCP/AP
Management
Servers

Edge
Distribution
Module

To E-Commerce
Module

To Corporate
Internet Module

To VPN and Remote
Access Module

To WAN Module


Слайд 40Enterprise Network EAP with TKIP Option: Design Guidelines
Design guidelines include:
LEAP and

VPN as viable options
Availability and scalability of servers
Server load balancing
Network management guidelines include:
Creating management VLAN
Using the access point to provide central authentication
Using secure management transport protocol
Alternatives include:
Implementing user differentiation
Creating a guest VLAN
Implementing packet filters

Слайд 41Enterprise Network: IPSec VPN Option
Wireless Computer
with VPN Client

Building Module
Building Distribution Module
Core

Module

Server Module

RADIUS/OTP
Servers

DHCP/AP
Management
Servers

Edge
Distribution
Module

To E-Commerce
Module

To Corporate
Internet Module

To VPN and Remote
Access Module

To WAN Module

VPN Concentrator Cluster

Wireless Computer
with VPN Client


Слайд 42Enterprise IPSec VPN Option: Design Guidelines
Design guidelines include:
Balance the necessary cost-security

trade-offs.
Consider client traffic to be insecure before the IPSec tunnel is established.
Use the auto-initiate feature of the VPN client.
Filter with ACLs.
Create redundant servers and VPN gateways for high availability and scalability.
Alternatives include:
Implement NIDS and firewalls.
Physically separate WLAN access.
Create multiple SSIDs and VLANs.

Слайд 43
Medium Wireless LAN Design
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 44Medium Network: EAP with TKIP Option
DHCP/RADIUS/OTP/PKI/AP
Management Servers
To WAN
Module
To Corporate
Internet
Module
Management Servers
Corporate Users
Wireless

Computer
with EAP and TKIP

Access Point
with EAP and TKIP

Слайд 45Medium Network EAP with TKIP Option: Design Guidelines
General guidelines include:
Both EAP

and VPN are viable security options.
Prevent network access if RADIUS service fails.
Network management guidelines include:
Create management VLAN.
Configure access point to provide central AAA.
Use SSH Protocol.
Alternatives include:
RADIUS and DHCP server redundancy.
Option to implement local RADIUS and DHCP servers.
User differentiation.

Слайд 46Medium Network: IPSec VPN Option
DHCP/RADIUS/OTP/PKI/AP
Management Servers
To WAN
Module
To Corporate
Internet
Module
Management
Servers
Corporate Users
Wireless Computer
with

VPN Client

Access Point

VPN Concentrator

Слайд 47Medium Network VPN WLAN Design: Alternative
DHCP/RADIUS/OTP/PKI/AP
Management Servers
To WAN
Module
To Corporate
Internet
Module
Management
Servers
Corporate
Users
Wireless

Computer
with VPN Client

Access Point

VPN
Concentrator

Слайд 48
Small Wireless LAN Design
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 49Small Network EAP WLAN Design
To corporate
Internet
Module
Corporate
Servers
Corporate
Users
Wireless Computer
with EAP and

TKIP

Access Point
with EAP and TKIP

DHCP/RADIUS/OTP/PKI
Management Servers

Слайд 50Small WLAN Network: Design Guidelines
Guideline includes:
Single IP subnet
Network guideline includes:
Implementing EAP

with DHCP and RADIUS authentication
Alternative:
Using static WEP keys, but not recommended

Слайд 51
Remote Wireless LAN Design
© 2005 Cisco Systems, Inc. All rights reserved.
CSI

v2.1—14-

Слайд 52Remote WLAN Design
Two primary types of remote VPN connectivity defined by

SAFE are:
Software-based VPNs
Hardware-based VPNs

Слайд 53
Software VPN Remote Network WLAN Design
Access Point
VPN Software Client
with Personal
Firewall
Broadband
Access
Device
Internet

Слайд 54Hardware VPN Remote Network WLAN Design
Access Point
with EAP
and TKIP
Wireless Computer
with

EAP and TKIP

VPN
Concentrator

Broadband
Access
Device


Internet

Слайд 55
SAFE WLAN Implementation
© 2005 Cisco Systems, Inc. All rights reserved.
CSI v2.1—14-

Слайд 56Access Point: Setup Menu Options

Слайд 57Access Point: Express Setup Menu

Слайд 58Access Point: Security Setup

Слайд 59Access Point: WEP Setup

Слайд 60Configuring ACU
Aironet Client Utility


Profile Manager

Profile
Manager

Слайд 61Configuring the Client for WEP
Network
security
WEP key information
Use static WEP keys

Слайд 62Configuring the Client for WEP (Cont.)
Client
Access Point

Keys Must Match!

Слайд 63Enabling Authentication on Access Point

Authentication server

Слайд 64Defining an Authenticator


EAP and LEAP authentication
MAC authentication

Слайд 65Enabling LEAP on the Client

LEAP

Configure

Слайд 66Enabling LEAP on the Client (Cont.)

LEAP username
and
password parameters

Слайд 67Cisco ACS: Main Screen
Network configuration

Слайд 68User Setup in ACS
User
information

Слайд 69Network Configuration in ACS
Network configuration

Слайд 70Network Configuration in ACS (Cont.)

Network access server
hostname and IP address

Authentication

protocol

Слайд 71Session Policy Setup in ACS
Network configuration
Edit settings

Слайд 72Session Policy Setup in ACS (Cont.)
Session timeout

Слайд 73Summary
IEEE 802.11 is the standard that is used by wireless technologies.
Security

for IEEE 802.11 networks can be simplified into two main components:
Encryption
Authentication
There are four WLAN components.
There are security extensions for SAFE WLAN.
There are two main network WLAN design choices:
Implementing a dynamic WEP keying model using 802.1x EAP and TKIP
Implementing an overlay VPN network using IPSec

Слайд 74Summary (Cont.)
There are numerous design considerations for small, medium, enterprise, and

remote-user WLANs.
The mitigation roles identified for each threat are integral to a successful WLAN implementation.
The design process is often a series of trade-offs. Some of these trade-offs are made at the module level, whereas others are made at the component level.

Слайд 75

Lab Visual Objective
© 2005 Cisco Systems, Inc. All rights reserved.
CSI v2.1—14-

Слайд 76.100
Lab 1 Visual Objective
10.0.P.0 /24
Pod P (1–10)
pP
pub
cP
Corporate server/ACS
10.0.P.10
priv
.5
.2 e0
172.18.P.0/24
.1 e4
.1 e1
RTS







10.0.P.11
Wireless


computer


10.0.P.21

Слайд 77.100
Labs 2 and 3 Visual Objective
10.0.P.0 /24
Pod P (1–10)
pP
pub
cP
Corporate server/ACS
10.0.P.10
priv
.5
.2 e0
172.18.P.0/24
.1

e4

.1 e1

RTS








10.0.P.11

Wireless
computer


10.0.P.21

Слайд 78.100
Lab 4 Visual Objective
10.0.P.0 /24
Pod P (1–10)
pP
pub
cP
Corporate server/ACS
10.0.P.10
priv
.5
.2 e0
172.18.P.0/24
.1 e4
.1 e1
RTS







10.0.P.11
Wireless


computer


10.0.P.21

Похожие презентации

Памятники Отечественной войны 1812 года в Москве 301
Лучезарный человек Олег Кургузов 245
Особенности формата Интернет-олимпиады 195
ПРОЕКТ 243
Пошаговая инструкция. Как записать ребёнка в детское объединение (кружок) 196
Электронное пособие для учителей литературы5-9 классовСамый любимый урок 230

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.

Для правообладателей

Яндекс.Метрика