Apresentação em tema: "Implementando segurança em redes wireless"— Transcrição da apresentação:
1 Implementando segurança em redes wireless Alberto Oliveira – LanlinkMCSE:Security, Security+João Carlos Manzano – MicrosoftSecurity Specialisty
2 Agenda Introdução Tendências Necessidades e Desafios Padrões e TecnologiasSolução: Windows Server 2003Implementando a SoluçãoNovidades do Longhorn/Vista
3 Redes Wireless Global & Universal Area Wide Area & Metro Area Satellite Data NetworksWhat is Wireless LAN (WLAN)?Global or Universal Area Wireless Network: A wireless network that is available anywhere in the world. Satellites can be used for this purpose. The wireless connection is very long distance in this case. And for most applications, it requires a stationary client receiver.Wireless Wide Area Network (WWAN): This connection is made using land-based antenna which are widely spaced. Typically, this is a cellular or pager network. Currently, typical data speeds do not exceed kilobits per second (Kbps) with the exception of Cellular Digital Packet Data (CDPD). However, new technologies are being introduced to increase future data speeds for cellular networks.Wireless Local Area Network (WLAN): A wireless version on an Ethernet-style network. This type of network typically stays within large buildings making ideal for warehouse and office applications.Personal Area Network (PAN): This is a peer-to-peer network. Using either Bluetooth or Infrared technologies, it servers as a “cable replacement” for such purposes as connecting a handheld device to the Internet or replacing cables that connect a PC to a printer, keyboard, and a mouse. Infrared requires a clear line of sight between the two IrDA devices and typically has a viable connection distance of up to two meters and can transmit data at up to 115 Kbps (although different implementations of the technology can change the performance of IrDA). Bluetooth, a low-wattage, radio frequency-based medium, has a viable connection distance of up to 10 meters and can transmit data at up to 720 Kbps.Wide Area & Metro AreaCellular-based mobile dataLocal AreaWireless LAN (WLAN)HiperLAN/2Personal AreaBluetoothHomeRF
4 Visão sobre WirelessExtende o poder das aplicações e serviços, através da ativação de conectividade sem fio confiável, segura, presente e transparente.WWANConectividade de Dados através do CelularWLANRede Local, baseado em WiFi (802.11a/b/g) e hotspotsPANRede local usando Bluetooth (UWB)Plataforma de serviços de localizaçãoPermitir localizaça de dados de todas as origens wireless (incluindo GPS) para permitir uma rica experiência em WindowsHomeRFThe HomeRF wireless networking standard was designed specifically for home use. Operating in the 2.4GHz band, HomeRF utilizes frequency hopping spread spectrum (FHSS) modulation.The HomeRF Working Group released the Shared Wireless Access Protocol (SWAP) 1.0 specification several years ago at 1.6Mbps. To compete more effectively against higher-speed networking products, SWAP 2.0 increased the maximum data throughput speed to 10Mbps. The HomeRF Working Group is planning to move to speeds of up to 20Mbps in 2002 that are capable of supporting products such as video tablets and HDTV. HomeRF as obvious from the name does not compete in the space where Windows Server 2003 wireless networking wants to goHomeRF continues to be threatened by SOHO vendors in the b market that are ramping cheaper products and pushing for standardization across all environments, from enterprise to home to public access. It is likely b will increasingly make headway into the home market.BluetoothBluetooth is a low-cost, low-power, short-range wireless technology that communicates data and voice in point-to-multipoint networks from 0 to 10 meters (up to 32 feet). Inhabiting the 2.4GHz band Bluetooth transfers at data rates of up to 721Kbps. The extent to which Bluetooth interferes with b networking equipment has not yet been properly defined, with some claiming that interference will be minimal and others claiming that interference between both products will cause the malfunction of one or the other or both. Microsoft is working with the co-existence of b and Bluetooth committee to ensure a smooth customer experience.In any discussion of Bluetooth, it is extremely important to point out its actual uses. Bluetooth is specifically designed as a PAN. Its usage can be roughly grouped into three functionality areas: cell phones/PDAs; peripheral devices, such as headsets, keyboards, mice, cell phones, and printers; and devices connected to a PC with a wire. Thus, the original intent of Bluetooth has always been quite limited in scope, though many have spoken of Bluetooth's ability to scale into much bigger and wider networks.HiperLAN/2HiperLAN/2 has begun to emerge as a potential competitor to a in the 5GHz band. The technology is designed to achieve data throughput speeds of up to 54Mbps. HiperLAN/2 has been touted for its QoS mechanisms, which enable robust multimedia capabilities such as audio and video streaming. HiperLAN/2 also has dynamic power control and gives network managers the ability to select sub frequency ranges within the 5GHz space.Significant challenges exist for HiperLAN/2 chiefly because it is technically legal only in Europe. Having learned its lessons from the b and HomeRF problems, a recently formed committee is working explicitly on a solution to develop harmonization between HiperLAN/2 and a.United States wireless networking industry has focused on a and is working to gain legalization in Europe. Barring this, solutions enabling both technologies to interoperate will be key for avoiding compatibility issues going forward.802.11bWithout a doubt, the majority of WLANs today are b (called Wi-Fi by the average user). This current generation made its debut in 1999 and boasts data throughput up to 11Mbps. A drawback is the current b standard lacks QoS. This will be an impending issue with applications such as voice and streaming audio/video. An extension, termed e, to solve this problem is under consideration.802.11g802.11g was recently certified for general use by the FCC g is an extension of b in the 2.4GHz band, though it increases speeds up to 22Mbps. IDC sees the g campaign as a strategy for the big b players (most notably Intersil) to hang onto their current market dominance. However, by the time the technology is approved and under way, a could already be off and running. Overall, with late general availability for g - sometime in 2003 – analysts believe it will be too late for the standard. Pricing will be too competitive on the a side, with many consumers looking for higher data rates to support their higher-order applications, primarily in the home.802.11aBilled as the next generation of wireless networks, a is designed to replace b and HomeRF networking technologies. The a standard promises faster data rates of up to 54Mbps and runs at the cleaner, less congested 5GHz frequency. One major problem is a is not backward compatible with the technology it is designed to replace.Regulation wise, a is completely legal in North America. The technology is currently unlicensed in Europe, so a is neither quite legal nor illegal (thus the enthusiasm for HiperLAN/2 in that region). Problems are not expected in either Japan or ROW.As noted previously, a is not backward compatible with b. Thus, existing b networks will need to be updated with new NICs and APs. Because both inhabit different ISM bands, they can coexist with few difficulties, and solutions enabling LAN networking between both standards are expected. Microsoft is moving towards a a model and will be providing a migration path to the customers moving from b to a.
5 Tendência em Redes Wireless Explosão no crescimento de dispotivos wirelessCrescente aumento nas vendas de handheldsAumento da banda em WLANAté 54MbpsSuporte wireless de fábricaA maioria dos Laptops e PDA’s possuem esse recurso.There is a great demand for wireless devices as noted by the IDC study. Apart from the convenience value there two major reasons for the explosive growth. Today enterprises have turned into virtual communities where employees demand constant network connectivity in order to get access to mail, files or other business critical applications weather they are on site or off. Many people have chosen to work from their homes or satellite offices and all this requires a network that is agile enough to adapt to the ever changing needs and demands of businesses. The more agile the network the quicker the responsiveness of the employees resulting in increased business efficiency.The reason for the surge in mobile access is attributed to the enhanced productivity of the employee and hence that of the company. Various studies have confirmed this phenomenon example being a recent study by Gartner that shows an increase of 30% in productivity of a mobile infrastructure. Another example is of Microsoft whose internal estimates have shown an increase of anywhere from minutes in employee’s productivity with wireless access enablement.Another driver is the growing number of workforce preferring to work from remote locations.
6 Necessidade de Redes Wireless Produtividade dos FuncionáriosAcesso habilitado de qualquer lugar da empresa para os recursos e aplicações críticas, de forma rápida e segura“ Acesso Wireless aos funcionários em umarede corporativa aumenta a produtividade em 30%”(Gartner)To improve productivity, companies are rapidly extending their corporate networks to enable employees to access network over wireless connections.“Os usuários móveis dos EUA devemdobrar entre “(IDC)
7 Requisitos da solução Conectividade Segura Qualquer Lugar Internet hotspots, redes de parceiros, filiaisQualquer DispositivoComputadores, PDA’sQualquer ConexãoWired, Wireless, Dial-up, VPNRequirements for mobilityTo make networks agile, enterprises require secure anywhere, any device over any connection network access to business critical applications. So weather you are a telecommuter, an on-site user or a remote employee accessing information via a PDA, lab top or desktop in a wired or wireless environment you are assured secure access. For instance being a Microsoft employee an individual is ensured access to corporate resources regardless of the location, method of access or the access device used (PDA, Lap top, desk top, cell phone etc.)
8 Desafios Atacante Segurança Fraca Ataque de Denial of service Rogue APLegadoWirelessDictionary AttackServ. AqruivosStoryline:While there are many benefits for the company and the information worker, this also introduces a new set of risk and challenges.Wireless access to corporate LANs often extend the reach of the network outside the physical boundaries of company’s building.Finally, extending the reach of the corporate network increases the risk of security compromise leading to an increased management burden on the IT staff.The b standard proposed by IEEE has many security flaws like:Static keys for sessionNo safeguard against rogue access pointsWeak WEP encryptionMuitos WAP’s insegurosChave WEP facilmente quebradaAtaques aos WAP’s são difíceis de detectarActiveDirectoryApps Web
9 Linha do Tempo Original 802.11 Security: Autenticação nativa 802.11 Criptografia WEP estática802.1X with WEPAutenticação XGerenciamento de chaves 802.1XProteção de dados WEP dinâmica802.11i (WPA2)Autenticação 802.1XGerenciamento de chaves 802.1X aumentadaProteção de dados baseado em AESPré-AutenticaçãoWPAAutenticação 802.1XGerenciamento de chaves 802.1X aumentadaProteçao baseado em TKIP1999200120032004Alternativas de Segurança Fracas:Filtro de Endereços MAC – Não pode Escalar.VPN – Permite acesso total a Rede.Tunelamento IPSec – Solução Proprietária.
10 Padrão IEEE Padrão Descrição 802.11Especificação base que define os conceitos de transmissão em redes Wireless802.11aVelocidade de trasmissão de até 5.4 megabits (Mbps) por segundo802.11bVelocidade de transmissão de até 11 MbpsBoa faixa de abrangência, mas suscetível a interferência de sinais de rádio802.11gVelocidade de transmissão de até 54 MbpsFaixas de abrangência mais curtas que b802.1X - Um padrão que define os mecanismos de controle de acesso baseado em portas para a autenticação na rede, e opcionalmente, para gerenciar chaves usadas para proteger o tráfego
11 Autenticação WEP Wired Equivalent Privacy Mecanismo de segurança com 2 níveis de Criptografia: 64-bit and 128-bitMelhor do que não ter segurança mas é um protocolo relativamente fácil de quebrar (muitas ferramentas na Internet)Segurança pode ser aumentada rotacionando chaves randomicamente ou separando a rede com fio da rede Wireless “menos segura”.Wired Equivalent PrivacyWas designed to protect the radio connection
12 Autenticação IEEE 802.1XPadrão para segurança de rede baseado em portas, mas não define o atual mecanismo de autenticaçãoEncapsula o protocolo EAP para redes com ou sem fio (wireless)EAP was originally designed for point to point networksThis component defines how the client authenticates for access to the network
13 Usando o EAP Extensible Authentication Protocol EAP-TLS (Transport Layer Security )Utiliza certificados tanto em clientes quanto em servidores para autenticaçãoUtiliza mecanismo de autenticação similar ao do HTTPSRequer infra-estrutura de gerenciamento de chaves extensaPEAP (Protected EAP)Utiliza o PKI para negociar a conexão inicial com o access pointFeito sobre a implementação de EAP-TLSA conexão com a rede é liberada apenas após autenticação do usuário e senha
14 WPA Wi-FI Protected Access Aumenta a segurança mantendo o hardware existenteAbsorve alguns recursos do i:Message Integrity Check (MIC)Temporal Key Integrity Protocol (TKIP)Aperfeicoamento do WEP com a introdução de novos algoritmosConsiste em dois Certificados:WPA-PersonalWPA-EnterpriseMessage Integrity Check (MIC)An additional field in the data frame to protect the header and the payload of a given packetTemporal Key Integrity Protocol (TKIP)Fixes the static key issue found with WEP by changing a portion of the key for every packet transmittedDoes not require new hardware changes as this still utilizes the WEP infrastructure found in many Access pointsWPA-PersonalHas passed tests using Pre-Shared keys (PSK) onlyWPA-EnterprisePassed interoperability tests in both PSK only mode and 802.1X/EAP only modeSuperset of WPA-Personal
15 IEEE iAlteração na especificação existente para o padrão que aumenta a segurança na camada MAC (Media Access Control)Chamado de WPA2 pela Wi-Fi AllianceIntroduz o protocolo de nome Robust Security Network (RSN)Pode usar dois tipos possiveis de protocolos de criptografia baseados no AES (Advanced Encryption Standard ):Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) Wireless Robust Authenticated Protocol
16 Windows Server 2003 Segurança aumentada + CapacidadeWindows NT 4.0Windows 2000 ServerWindows Server 2003Integrado com o Active Directory*+PKI integrada para autenticação de smartcardLog XML ricoRADIUS Load Balancing802.1X para autenticação segura de redes com e sem fio (wireless)PEAP para autenticação da rede usando senhaQuarantena de RedeNAT Traversal para VPNS usando IPSECPilha de rede IPv6 integradaTrends …P – Inluido no produto Windows ServerP+ - Inlui melhorias da versão anterior* Integrado com o Windows NT 4.0 User Domains
17 Solução Windows Server 2003 HackerXWindows Server 2003SeguroGerenciávelInteroperávelMelhor CustoLegadoWirelessServ. ArquivosBackgroundWireless networking is a fast growing trend especially with the built in support for standards like and Bluetooth. The biggest inhibitor to its growth however is the weakness of the standard. The key weaknesses of the protocol include things like static key for a session, weak encryption of credentials over the wire and no defense mechanism against a rogue access point.Microsoft realizing the problem recommended a portal based solution that addressed these issues not only for wireless but for wired access as well. The recommendation was accepted as what became known as the 802.1X standard.The Solution802.1X uses what is called an EAP-TLS (Extensible Authentication Protocol- Transport Layer Security) protocol which authenticates the client against a RADIUS server. For 802.1X to work a server has to authenticate itself against the client and vice versa which was not the case with 802.1X. This way the threat of a rogue AP is minimized. Secondly 802.1x uses certificates for encryption, making it extremely difficult to force denial of service attacks and ensures that the server.Windows Server 2003 also offers what is called the Protected EAP or PEAP (standard IETF draft) that uses secure passwords for authentication. To read more about PEAP please visitStandards Compliance802.1X is a standard which is being followed by all major vendors including Microsoft. PEAP is also a proposed standard which has Cisco and RSA’s backing besides Microsoft. With Windows networking technologies a customer will always enjoy interoperability.Although 802.1X is a secure solution the problem is that it requires a PKI infrastructure which is hard to implement and is expensive.Microsoft solves this problem by providing a secure manageable and affordable solutionVerifica um Certificado x509 válidoApps WebSalvaguarda contra AP falsosCriptografia forte para proteçao contra DoSMudança de chaves dinâmicas
18 Windows Server 2003SeguroGerenciávelInteroperávelMelhor CustoServiços de segurança inclusos, como Certification AuthorityAcesso ao wireless baseado em senhas e segurasSuporta métodos de autenticação de terceirosSeguro contra ataques de senha (dicionário)The unique value of Microsoft technologies is that they be combined together for maximum customer benefit to enjoy services like single sign on etc. You can use a Windows based VPN or can decide on deploying a secure wireless solution from Microsoft and it will still give you the desired level of security, manageability and interoperability that you are wanting from a solution; however consolidated network access is simple and cost effective. You can easily roll out an additional service if you have any one of the services in place without changing the infrastructure. Just by adding a few servers you can move from a VPN environment to an added wireless LAN. There are no added CALs for any of the additional services making it extremely cost effective.
19 Windows Server 2003 Implementação fácil usando guias SeguroGerenciávelInteroperávelMelhor CustoImplementação fácil usando guiasGerenciamento de clientes centralizadoRelatórios e monitoração detalhadas da redeFácil deployment com o recurso zero client configurationWindows Server 2003 by tightly integrating authentication and security services out of the box makes the task of management simple. An administrator has full control over the identity of the clients and can push down policies centrally without having to manage them at various locations. With the addition of newer tools monitoring and accounting of users is enhanced and many of the critical and hard to implement services have been automated, requiring less human intervention thus reducing the delta of error.
20 Windows Server 2003 DHCP, DNS e pilha TCP/IP usando padrões SeguroGerenciávelInteroperávelMelhor CustoDHCP, DNS e pilha TCP/IP usando padrõesSuporte aos principais protocolos de redeInteroperabilidade com dispositivos WiFi certificadosInteroperabilityWindows Server 2003 technologies are based on industry standards as defined by IEEE’s IETF and WECA bodies. A customer is rest assured a multi-vendor environment going with Microsoft’s technologies. Microsoft clients and server protocols are supported by all major gateway vendors like Cisco, Checkpoint, Nortel etc. Going with Windows customers have the flexibility to deploy an end to end solution or can take part of the solution to work with an existing standards based infrastructure.Although Microsoft technologies offer wide multi-vendor support to realize maximum benefits it is highly recommended a customer deploy and end to end solution.
21 Windows Server 2003SeguroGerenciávelInteroperávelMelhor CustoMesma infra-estrutura para conexões Dial-Up, VPN, com fio (wired) e sem fio (Wireless)Single Sign on para os recursos de redeMesmo cliente para todos os métodos de acessoThe unique value of Microsoft technologies is that they be combined together for maximum customer benefit to enjoy services like single sign on etc. You can use a Windows based VPN or can decide on deploying a secure wireless solution from Microsoft and it will still give you the desired level of security, manageability and interoperability that you are wanting from a solution; however consolidated network access is simple and cost effective. You can easily roll out an additional service if you have any one of the services in place without changing the infrastructure. Just by adding a few servers you can move from a VPN environment to an added wireless LAN. There are no added CALs for any of the additional services making it extremely cost effective.
22 Elementos da rede Wireless Domain Controller (DC)RADIUS (IAS)Certification Authority (CA)DHCP Services (DHCP)DNS Services (DNS)FilialLANIAS/DNS/DCEscritório CentralPrimárioSecundárioAccess PointsSecundárioIAS/CA/DCAccess PointsLANPirmárioClientes WLANIAS/DNS/DCDHCPClientes WLAN
23 IAS Server Melhorias no servidor IAS do Windows 2000 para wireless Autenticação usando Certificados (EAP-TLS) e Senhas Seguras (PEAP)Suporte a autenticação da estaçãoPara ambas as soluções EAP-TLS e PEAPWindows 2003 IAS ServerMelhorias de performance quando usando distribuiçao de certificadosRegistro dos AP’s com servidores RADIUSMelhoria na captura de eventos (logging) usando tanto com SQL quanto o formato XMLScaling up – RADIUS Proxy fail over e fail backScale out através da exportação e restauração da configuração
24 Active Directory Windows 2000 AD Windows 2003 AD Apenas auto enrollment e renovação dos certificadosWindows 2003 ADAuto enrollment e renovação para estaçõesAuto enrollment e renovação para usuáriosSuporte de Group Policy para configurações Wireless
25 Novidades no Longhorn Suporte nativo a WPA2 Perfis de wireless melhoradosSuporte as opções de autenticação WPA2 via GPOLista de redes wireless permitidas e negadasIntegração com o NAP (Network Access Protection)
26 O que aprendemos Visão geral sobre wireless Protocolos de segurança Padrões de mercadoModelos de ambienteNovidades para o Longhorn/Vista
27 Próximos passos: Acesse: Associações: Documentação sobre Wireless:Documentação sobre IAS:WLAN Device Driver development:802.1X Authentication:Wireless Network Security within 802.1X:Set up 802.1X Authentication on Windows XP Client:Associações:Wireless LAN:IEEE & 802.1X:Wi-Fi Alliance:
28 Próximos passosTreinamentos de segurança:Sign up for security communications: default.mspxFind additional e-learning clinicsGet additional security information on Exchange Server 2003: default.mspx
29 Para mais informações. Visite-nos em www.technetbrasil.com.br Nossa página de segurançaAprenda e ensine mais sobre segurança na internet para crianças, jovens e adultos em: