Firewall Wizards mailing list archives
RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 4 Nov 2003 15:34:28 +0100
Wow, that's a nice paper - thanks. For lazy readers, here's the ref from John, shortened. http://snurl.com/2u02 We touched on this briefly a little while ago, when we were talking about 802.1x, so you might want to go and read the recent archives. If you like, skip to the end for the summary. :) Here's my (notoriously inexpert) opinion on the crypto problems with Cisco LEAP and some of the derivatives. LEAP is "broken". That's easy for people to say, and to an extent it's true. However, some people may overestimate the extent of its broken-ness. The basic problem is that there's a really, really _stupid_ crypto mistake which I can't believe they missed. The LEAP Flaw: The SekRiT PaSsWorD is shoved through MD4, which produces a 16 byte hash. This hash is then padded with 5 nulls (whups!) to produce 21 bytes. The result is split into three chunks of 7. That happens to be the same as a 56 bit DES key. These three keys are each used to encrypt one single challenge in sort of ECB (no chaining, anyway), concatenate the outputs and send it as the response. In other words, the response is E(chunk1){challenge} + E(chunk2){challenge} + E(chunk3){challenge}. This is a dumb idea. I'm sure they had some reason for it which I don't understand, but on the face of it they could have used CBC with a 5 byte IV, used a salt, or one of various other methods. Anyway. As you can see, the last DES key is very easy to guess (5 known nulls, thus 2 bytes of entropy ~= 2^16), which gives you Chunk 3 - the last two bytes of the password hash. Given that there is no salt, you can now just scream through an existing password database, matching on the last two bytes of the hash. So, how bad is it? Well, if you use strong passwords, it's not very bad at all. If I tell you that the last two bytes of my password are "<!" then it's not going to buy you much. However, if you use dictionary words or simple derivatives then it's pretty bad. Other Problems There are still some other EAP problems, mostly to do with cunning MitM attacks, even on EAP-TTLS, PEAP and the like, depending on the tunneled protocol you use for authentication. There is an IETF draft[1], which may have expired by the time you read this. It's a little more complicated, but my basic summary is - authenticate BOTH ends, if you can, and don't use a tunneled protocol which is itself vulnerable to MitM (CHAP is bad, for example), or you are probably in trouble. Please remember that the authentication is only one part of the security - there is still some link encryption, and to my quick skim Cisco's pre-standard "TKIP" fixes the most egregious of the WEP problems. Overall So, you ask if it's "good enough". Hrm. Myself, I would implement all the bells and whistles, but still do it your way (create an untrusted, firewalled segment and let them VPN in from it - you can do this transparently using Windows IPSec if you are native AD etc). Overall, however, I believe that if you use all of the available wireless features (MAC filter, SSID, WEP and TKIP (nonstandard) and 802.1x with LEAP or PEAP (better) ) then it will almost certainly not be the weakest link in your chain. The risk profile is something you need to work out yourself, of course, based on how valuable the data flowing over this wireless network is. In one sentence: There are still some crypto problems with the current wireless protocols, but if you are happy with users running IE and receiving email attachments then you shouldn't lose sleep over a best-practice wireless solution. ben [1] http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-04.txt
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart, John Sent: Tuesday, November 04, 2003 12:49 AM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless Security Sui te I've been getting a lot of heat from management at one of our sites to implement wireless networking. I've been adamant in the past that it would not be feasible due to the inherent insecurities with WEP under 802.11. My opinion has been that if they want to use wireless LANs, we can set up a seperate leg on the firewall, treat it like a completely untrusted network, and they can VPN in to get access to internal networks. However, of course the pointy-hairs in that office want to be able to walk around with their laptops as if they were wired. I don't know why it would be so hard to plug the laptop into the wall in the conference room, but I do understand that it would be "nice to have". I use a WAP at home, and like it. Anyhow, the Cisco offering in this area does look to be somewhat promising at ameliorating the risks involved with wireless. Here is their white paper on their Wireless Security Suite offering: http://www.cisco.com/en/US/products/hw/wireless/ps430/products _white_paper09 186a00800b469f.shtml It does sound like they're doing some good things, and I'm wondering what the opinion is from you wizards on it. Anyone used it? Is it Good Enough? While I understand that adding wireless access points, even when done properly, is inherently adding security risk that I did not have before, my job (of course) is to balance business need versus security. I guess the question is, with this product, am I taking a larger risk than I am with, say, some of these other issues which would not be necessary in an ideal, secured, world: - Allowing VPNs from users' PCs (a software firewall is required in that case, but certainly this is riskier than not allowing it) - HTTP access to everywhere from the internal (Windows) desktops - Email on Outlook/Exchange. While we disallow executable attachments, and run virus/trojan scanners on the server and desktop, this is certainly another worrisome vector of attack. So, with this "Wireless Security Suite" on some Aironet access points, is a wireless LAN (connected to our internal network) really a bigger risk than these other risks, necessitated by our business requirements? thanks! johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (In)security of wireless LANs and the Cisco Wireless Security Sui te Stewart, John (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Ben Nagy (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Problem with TCP 1433, conduits and ACLs... Wes Noonan (Nov 26)
- RE: Problem with TCP 1433, conduits and ACLs... Andy Lyakhovetskiy (Nov 28)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Suite Mikael Olsson (Nov 04)
- <Possible follow-ups>
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Sloane, David (Nov 04)