Implementando segurança em redes wireless Alberto Oliveira – Lanlink MCSE:Security, Security+ João Carlos Manzano – Microsoft Security Specialisty

Agenda Introdução Tendências Necessidades e Desafios Padrões e Tecnologias Solução: Windows Server 2003 Implementando a Solução Novidades do Longhorn/Vista

Redes Wireless Global & Universal Area Wide Area & Metro Area Satellite Data Networks What is Wireless LAN (WLAN)? Global or Universal Area Wireless Network: A wireless network that is available anywhere in the world. Satellites can be used for this purpose. The wireless connection is very long distance in this case. And for most applications, it requires a stationary client receiver. Wireless Wide Area Network (WWAN): This connection is made using land-based antenna which are widely spaced. Typically, this is a cellular or pager network. Currently, typical data speeds do not exceed 9.6-14.4 kilobits per second (Kbps) with the exception of Cellular Digital Packet Data (CDPD). However, new technologies are being introduced to increase future data speeds for cellular networks. Wireless Local Area Network (WLAN): A wireless version on an Ethernet-style network. This type of network typically stays within large buildings making ideal for warehouse and office applications. Personal Area Network (PAN): This is a peer-to-peer network. Using either Bluetooth or Infrared technologies, it servers as a “cable replacement” for such purposes as connecting a handheld device to the Internet or replacing cables that connect a PC to a printer, keyboard, and a mouse. Infrared requires a clear line of sight between the two IrDA devices and typically has a viable connection distance of up to two meters and can transmit data at up to 115 Kbps (although different implementations of the technology can change the performance of IrDA). Bluetooth, a low-wattage, radio frequency-based medium, has a viable connection distance of up to 10 meters and can transmit data at up to 720 Kbps. Wide Area & Metro Area Cellular-based mobile data Local Area Wireless LAN (WLAN) HiperLAN/2 Personal Area Bluetooth HomeRF

Visão sobre Wireless Extende o poder das aplicações e serviços, através da ativação de conectividade sem fio confiável, segura, presente e transparente. WWAN Conectividade de Dados através do Celular WLAN Rede Local, baseado em WiFi (802.11a/b/g) e hotspots PAN Rede local usando Bluetooth (UWB) Plataforma de serviços de localização Permitir localizaça de dados de todas as origens wireless (incluindo GPS) para permitir uma rica experiência em Windows HomeRF The HomeRF wireless networking standard was designed specifically for home use. Operating in the 2.4GHz band, HomeRF utilizes frequency hopping spread spectrum (FHSS) modulation.The HomeRF Working Group released the Shared Wireless Access Protocol (SWAP) 1.0 specification several years ago at 1.6Mbps. To compete more effectively against higher-speed networking products, SWAP 2.0 increased the maximum data throughput speed to 10Mbps. The HomeRF Working Group is planning to move to speeds of up to 20Mbps in 2002 that are capable of supporting products such as video tablets and HDTV. HomeRF as obvious from the name does not compete in the space where Windows Server 2003 wireless networking wants to go HomeRF continues to be threatened by SOHO vendors in the 802.11b market that are ramping cheaper products and pushing for standardization across all environments, from enterprise to home to public access. It is likely 802.11b will increasingly make headway into the home market. Bluetooth Bluetooth is a low-cost, low-power, short-range wireless technology that communicates data and voice in point-to-multipoint networks from 0 to 10 meters (up to 32 feet). Inhabiting the 2.4GHz band Bluetooth transfers at data rates of up to 721Kbps. The extent to which Bluetooth interferes with 802.11b networking equipment has not yet been properly defined, with some claiming that interference will be minimal and others claiming that interference between both products will cause the malfunction of one or the other or both. Microsoft is working with the co-existence of 802.11b and Bluetooth committee to ensure a smooth customer experience. In any discussion of Bluetooth, it is extremely important to point out its actual uses. Bluetooth is specifically designed as a PAN. Its usage can be roughly grouped into three functionality areas: cell phones/PDAs; peripheral devices, such as headsets, keyboards, mice, cell phones, and printers; and devices connected to a PC with a wire. Thus, the original intent of Bluetooth has always been quite limited in scope, though many have spoken of Bluetooth's ability to scale into much bigger and wider networks. HiperLAN/2 HiperLAN/2 has begun to emerge as a potential competitor to 802.11a in the 5GHz band. The technology is designed to achieve data throughput speeds of up to 54Mbps. HiperLAN/2 has been touted for its QoS mechanisms, which enable robust multimedia capabilities such as audio and video streaming. HiperLAN/2 also has dynamic power control and gives network managers the ability to select sub frequency ranges within the 5GHz space. Significant challenges exist for HiperLAN/2 chiefly because it is technically legal only in Europe. Having learned its lessons from the 802.11b and HomeRF problems, a recently formed committee is working explicitly on a solution to develop harmonization between HiperLAN/2 and 802.11a. United States wireless networking industry has focused on 802.11a and is working to gain legalization in Europe. Barring this, solutions enabling both technologies to interoperate will be key for avoiding compatibility issues going forward. 802.11b Without a doubt, the majority of WLANs today are 802.11b (called Wi-Fi by the average user). This current generation made its debut in 1999 and boasts data throughput up to 11Mbps. A drawback is the current 802.11b standard lacks QoS. This will be an impending issue with applications such as voice and streaming audio/video. An extension, termed 802.11e, to solve this problem is under consideration. 802.11g 802.11g was recently certified for general use by the FCC. 802.11g is an extension of 802.11b in the 2.4GHz band, though it increases speeds up to 22Mbps. IDC sees the 802.11g campaign as a strategy for the big 802.11b players (most notably Intersil) to hang onto their current market dominance. However, by the time the technology is approved and under way, 802.11a could already be off and running. Overall, with late general availability for 802.11g - sometime in 2003 – analysts believe it will be too late for the standard. Pricing will be too competitive on the 802.11a side, with many consumers looking for higher data rates to support their higher-order applications, primarily in the home. 802.11a Billed as the next generation of wireless networks, 802.11a is designed to replace 802.11b and HomeRF networking technologies. The 802.11a standard promises faster data rates of up to 54Mbps and runs at the cleaner, less congested 5GHz frequency. One major problem is 802.11a is not backward compatible with the technology it is designed to replace. Regulation wise, 802.11a is completely legal in North America. The technology is currently unlicensed in Europe, so 802.11a is neither quite legal nor illegal (thus the enthusiasm for HiperLAN/2 in that region). Problems are not expected in either Japan or ROW. As noted previously, 802.11a is not backward compatible with 802.11b. Thus, existing 802.11b networks will need to be updated with new NICs and APs. Because both inhabit different ISM bands, they can coexist with few difficulties, and solutions enabling LAN networking between both standards are expected. Microsoft is moving towards a 802.11a model and will be providing a migration path to the customers moving from 802.11b to 802.11a.

Tendência em Redes Wireless Explosão no crescimento de dispotivos wireless Crescente aumento nas vendas de handhelds Aumento da banda em WLAN Até 54Mbps Suporte wireless de fábrica A maioria dos Laptops e PDA’s possuem esse recurso. There is a great demand for wireless devices as noted by the IDC study. Apart from the convenience value there two major reasons for the explosive growth. Today enterprises have turned into virtual communities where employees demand constant network connectivity in order to get access to mail, files or other business critical applications weather they are on site or off. Many people have chosen to work from their homes or satellite offices and all this requires a network that is agile enough to adapt to the ever changing needs and demands of businesses. The more agile the network the quicker the responsiveness of the employees resulting in increased business efficiency. The reason for the surge in mobile access is attributed to the enhanced productivity of the employee and hence that of the company. Various studies have confirmed this phenomenon example being a recent study by Gartner that shows an increase of 30% in productivity of a mobile infrastructure. Another example is of Microsoft whose internal estimates have shown an increase of anywhere from 30-90 minutes in employee’s productivity with wireless access enablement. Another driver is the growing number of workforce preferring to work from remote locations.

Necessidade de Redes Wireless Produtividade dos Funcionários Acesso habilitado de qualquer lugar da empresa para os recursos e aplicações críticas, de forma rápida e segura “ Acesso Wireless aos funcionários em uma rede corporativa aumenta a produtividade em 30%” (Gartner) To improve productivity, companies are rapidly extending their corporate networks to enable employees to access network over wireless connections. “Os usuários móveis dos EUA devem dobrar entre 2001-2006 “ (IDC)

Requisitos da solução Conectividade Segura Qualquer Lugar Internet hotspots, redes de parceiros, filiais Qualquer Dispositivo Computadores, PDA’s Qualquer Conexão Wired, Wireless, Dial-up, VPN Requirements for mobility To make networks agile, enterprises require secure anywhere, any device over any connection network access to business critical applications. So weather you are a telecommuter, an on-site user or a remote employee accessing information via a PDA, lab top or desktop in a wired or wireless environment you are assured secure access. For instance being a Microsoft employee an individual is ensured access to corporate resources regardless of the location, method of access or the access device used (PDA, Lap top, desk top, cell phone etc.)

Desafios Atacante Segurança Fraca Ataque de Denial of service Rogue AP Legado Wireless Dictionary Attack Serv. Aqruivos Storyline: While there are many benefits for the company and the information worker, this also introduces a new set of risk and challenges. Wireless access to corporate LANs often extend the reach of the network outside the physical boundaries of company’s building. Finally, extending the reach of the corporate network increases the risk of security compromise leading to an increased management burden on the IT staff. The 802.11b standard proposed by IEEE has many security flaws like: Static keys for session No safeguard against rogue access points Weak WEP encryption Muitos WAP’s inseguros Chave WEP facilmente quebrada Ataques aos WAP’s são difíceis de detectar email Active Directory Apps Web

Linha do Tempo Original 802.11 Security: Autenticação nativa 802.11 Criptografia WEP estática 802.1X with WEP Autenticação 802.1X Gerenciamento de chaves 802.1X Proteção de dados WEP dinâmica 802.11i (WPA2) Autenticação 802.1X Gerenciamento de chaves 802.1X aumentada Proteção de dados baseado em AES Pré-Autenticação WPA Autenticação 802.1X Gerenciamento de chaves 802.1X aumentada Proteçao baseado em TKIP 1999 2001 2003 2004 Alternativas de Segurança Fracas: Filtro de Endereços MAC – Não pode Escalar. VPN – Permite acesso total a Rede. Tunelamento IPSec – Solução Proprietária.

Padrão IEEE Padrão Descrição 802.11 Especificação base que define os conceitos de transmissão em redes Wireless 802.11a Velocidade de trasmissão de até 5.4 megabits (Mbps) por segundo 802.11b Velocidade de transmissão de até 11 Mbps Boa faixa de abrangência, mas suscetível a interferência de sinais de rádio 802.11g Velocidade de transmissão de até 54 Mbps Faixas de abrangência mais curtas que 802.11b 802.1X - Um padrão que define os mecanismos de controle de acesso baseado em portas para a autenticação na rede, e opcionalmente, para gerenciar chaves usadas para proteger o tráfego

Autenticação WEP Wired Equivalent Privacy Mecanismo de segurança com 2 níveis de Criptografia: 64-bit and 128-bit Melhor do que não ter segurança mas é um protocolo relativamente fácil de quebrar (muitas ferramentas na Internet) Segurança pode ser aumentada rotacionando chaves randomicamente ou separando a rede com fio da rede Wireless “menos segura”. Wired Equivalent Privacy Was designed to protect the radio connection

Autenticação IEEE 802.1X Padrão para segurança de rede baseado em portas, mas não define o atual mecanismo de autenticação Encapsula o protocolo EAP para redes com ou sem fio (wireless) EAP was originally designed for point to point networks This component defines how the client authenticates for access to the network

Usando o EAP Extensible Authentication Protocol EAP-TLS (Transport Layer Security ) Utiliza certificados tanto em clientes quanto em servidores para autenticação Utiliza mecanismo de autenticação similar ao do HTTPS Requer infra-estrutura de gerenciamento de chaves extensa PEAP (Protected EAP) Utiliza o PKI para negociar a conexão inicial com o access point Feito sobre a implementação de EAP-TLS A conexão com a rede é liberada apenas após autenticação do usuário e senha

WPA Wi-FI Protected Access Aumenta a segurança mantendo o hardware existente Absorve alguns recursos do 802.11i: Message Integrity Check (MIC) Temporal Key Integrity Protocol (TKIP) Aperfeicoamento do WEP com a introdução de novos algoritmos Consiste em dois Certificados: WPA-Personal WPA-Enterprise Message Integrity Check (MIC) An additional field in the data frame to protect the header and the payload of a given packet Temporal Key Integrity Protocol (TKIP) Fixes the static key issue found with WEP by changing a portion of the key for every packet transmitted Does not require new hardware changes as this still utilizes the WEP infrastructure found in many Access points WPA-Personal Has passed tests using Pre-Shared keys (PSK) only WPA-Enterprise Passed interoperability tests in both PSK only mode and 802.1X/EAP only mode Superset of WPA-Personal

IEEE 802.11i Alteração na especificação existente para o padrão 802.11 que aumenta a segurança na camada MAC (Media Access Control) Chamado de WPA2 pela Wi-Fi Alliance Introduz o protocolo de nome Robust Security Network (RSN) Pode usar dois tipos possiveis de protocolos de criptografia baseados no AES (Advanced Encryption Standard ): Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) Wireless Robust Authenticated Protocol

Windows Server 2003 Segurança aumentada  + Capacidade Windows NT 4.0 Windows 2000 Server Windows Server 2003 Integrado com o Active Directory *  + PKI integrada para autenticação de smartcard Log XML rico RADIUS Load Balancing 802.1X para autenticação segura de redes com e sem fio (wireless) PEAP para autenticação da rede usando senha Quarantena de Rede NAT Traversal para VPNS usando IPSEC Pilha de rede IPv6 integrada Trends … P – Inluido no produto Windows Server P+ - Inlui melhorias da versão anterior * Integrado com o Windows NT 4.0 User Domains

Solução Windows Server 2003 Hacker X Windows Server 2003 Seguro Gerenciável Interoperável Melhor Custo Legado Wireless Serv. Arquivos Background Wireless networking is a fast growing trend especially with the built in support for standards like 802.11 and Bluetooth. The biggest inhibitor to its growth however is the weakness of the 802.11 standard. The key weaknesses of the protocol include things like static key for a session, weak encryption of credentials over the wire and no defense mechanism against a rogue access point. Microsoft realizing the problem recommended a portal based solution that addressed these issues not only for wireless but for wired access as well. The recommendation was accepted as what became known as the 802.1X standard. The Solution 802.1X uses what is called an EAP-TLS (Extensible Authentication Protocol- Transport Layer Security) protocol which authenticates the client against a RADIUS server. For 802.1X to work a server has to authenticate itself against the client and vice versa which was not the case with 802.1X. This way the threat of a rogue AP is minimized. Secondly 802.1x uses certificates for encryption, making it extremely difficult to force denial of service attacks and ensures that the server. Windows Server 2003 also offers what is called the Protected EAP or PEAP (standard IETF draft) that uses secure passwords for authentication. To read more about PEAP please visit www.microsoft.com/wifi Standards Compliance 802.1X is a standard which is being followed by all major vendors including Microsoft. PEAP is also a proposed standard which has Cisco and RSA’s backing besides Microsoft. With Windows networking technologies a customer will always enjoy interoperability. Although 802.1X is a secure solution the problem is that it requires a PKI infrastructure which is hard to implement and is expensive. Microsoft solves this problem by providing a secure manageable and affordable solution Verifica um Certificado x509 válido email Apps Web Salvaguarda contra AP falsos Criptografia forte para proteçao contra DoS Mudança de chaves dinâmicas

Windows Server 2003 Seguro Gerenciável Interoperável Melhor Custo Serviços de segurança inclusos, como Certification Authority Acesso ao wireless baseado em senhas e seguras Suporta métodos de autenticação de terceiros Seguro contra ataques de senha (dicionário) The unique value of Microsoft technologies is that they be combined together for maximum customer benefit to enjoy services like single sign on etc. You can use a Windows based VPN or can decide on deploying a secure wireless solution from Microsoft and it will still give you the desired level of security, manageability and interoperability that you are wanting from a solution; however consolidated network access is simple and cost effective. You can easily roll out an additional service if you have any one of the services in place without changing the infrastructure. Just by adding a few servers you can move from a VPN environment to an added wireless LAN. There are no added CALs for any of the additional services making it extremely cost effective.

Windows Server 2003 Implementação fácil usando guias Seguro Gerenciável Interoperável Melhor Custo Implementação fácil usando guias Gerenciamento de clientes centralizado Relatórios e monitoração detalhadas da rede Fácil deployment com o recurso zero client configuration Windows Server 2003 by tightly integrating authentication and security services out of the box makes the task of management simple. An administrator has full control over the identity of the clients and can push down policies centrally without having to manage them at various locations. With the addition of newer tools monitoring and accounting of users is enhanced and many of the critical and hard to implement services have been automated, requiring less human intervention thus reducing the delta of error.

Windows Server 2003 DHCP, DNS e pilha TCP/IP usando padrões Seguro Gerenciável Interoperável Melhor Custo DHCP, DNS e pilha TCP/IP usando padrões Suporte aos principais protocolos de rede Interoperabilidade com dispositivos WiFi certificados Interoperability Windows Server 2003 technologies are based on industry standards as defined by IEEE’s IETF and WECA bodies. A customer is rest assured a multi-vendor environment going with Microsoft’s technologies. Microsoft clients and server protocols are supported by all major gateway vendors like Cisco, Checkpoint, Nortel etc. Going with Windows customers have the flexibility to deploy an end to end solution or can take part of the solution to work with an existing standards based infrastructure. Although Microsoft technologies offer wide multi-vendor support to realize maximum benefits it is highly recommended a customer deploy and end to end solution.

Windows Server 2003 Seguro Gerenciável Interoperável Melhor Custo Mesma infra-estrutura para conexões Dial-Up, VPN, com fio (wired) e sem fio (Wireless) Single Sign on para os recursos de rede Mesmo cliente para todos os métodos de acesso The unique value of Microsoft technologies is that they be combined together for maximum customer benefit to enjoy services like single sign on etc. You can use a Windows based VPN or can decide on deploying a secure wireless solution from Microsoft and it will still give you the desired level of security, manageability and interoperability that you are wanting from a solution; however consolidated network access is simple and cost effective. You can easily roll out an additional service if you have any one of the services in place without changing the infrastructure. Just by adding a few servers you can move from a VPN environment to an added wireless LAN. There are no added CALs for any of the additional services making it extremely cost effective.

Elementos da rede Wireless Domain Controller (DC) RADIUS (IAS) Certification Authority (CA) DHCP Services (DHCP) DNS Services (DNS) Filial LAN IAS/DNS/DC Escritório Central Primário Secundário Access Points Secundário IAS/CA/DC Access Points LAN Pirmário Clientes WLAN IAS/DNS/DC DHCP Clientes WLAN

IAS Server Melhorias no servidor IAS do Windows 2000 para wireless Autenticação usando Certificados (EAP-TLS) e Senhas Seguras (PEAP) Suporte a autenticação da estação Para ambas as soluções EAP-TLS e PEAP Windows 2003 IAS Server Melhorias de performance quando usando distribuiçao de certificados Registro dos AP’s com servidores RADIUS Melhoria na captura de eventos (logging) usando tanto com SQL quanto o formato XML Scaling up – RADIUS Proxy fail over e fail back Scale out através da exportação e restauração da configuração

Active Directory Windows 2000 AD Windows 2003 AD Apenas auto enrollment e renovação dos certificados Windows 2003 AD Auto enrollment e renovação para estações Auto enrollment e renovação para usuários Suporte de Group Policy para configurações Wireless

Novidades no Longhorn Suporte nativo a WPA2 Perfis de wireless melhorados Suporte as opções de autenticação WPA2 via GPO Lista de redes wireless permitidas e negadas Integração com o NAP (Network Access Protection)

O que aprendemos Visão geral sobre wireless Protocolos de segurança Padrões de mercado Modelos de ambiente Novidades para o Longhorn/Vista

Próximos passos: Acesse: Associações: Documentação sobre Wireless: http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx Documentação sobre IAS: http://www.microsoft.com/ias WLAN Device Driver development: http://www.microsoft.com/hwdev/tech/network/wireless 802.1X Authentication: http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021Xauthentication.asp Wireless Network Security within 802.1X: http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021X.asp Set up 802.1X Authentication on Windows XP Client: http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021X_client_configure.asp Associações: Wireless LAN: http://www.ieee.org IEEE 802.11 & 802.1X: http://www.ieee.org Wi-Fi Alliance: http://www.wi-fi.org

Próximos passos Treinamentos de segurança: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Find additional e-learning clinics https://www.microsoftelearning.com/security Get additional security information on Exchange Server 2003: http://www.microsoft.com/technet/prodtechnol/exchange/ default.mspx

Para mais informações. Visite-nos em www.technetbrasil.com.br Nossa página de segurança www.microsoft.com/brasil/seguranca www.microsoft.com/security Aprenda e ensine mais sobre segurança na internet para crianças, jovens e adultos em: www.navegueprotegido.org

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.