1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Sessions 12

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 mjarrar@birzeit.edu

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

4PalGov © 2011

Tutorial 5:

Information Security

Session 12: Auditing and Wireless

Security

Session 12 Outline:

• Security Auditing• Break

• Wireless Security Protocols

5PalGov © 2011

Tutorial 5:

Session 12: Auditing

This session will contribute to the following

ILOs:• A: Knowledge and Understanding

a2: Defines security standards and policies.

• B: Intellectual Skillsb3: Design end-to-end secure and available systems.

• D: General and Transferable Skillsd2: Systems configurations.

d3: Analysis and identification skills.

6PalGov © 2011

Security Audit

• Auditing used on the security of an organization’s information system (IS) assets.

• Definition– “An independent review and examination of a system's records and

activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.” [from RFC2828.]

7PalGov © 2011

Security Audit Trail

• Definition

– “A chronological record of system activities that

is sufficient to enable the reconstruction and

examination of the sequence of environments

and activities surrounding or leading to an

operation, procedure, or event in a security-

relevant transaction from inception to final

results” [from RFC2828].

8PalGov © 2011

Security Audit Architecture

9PalGov © 2011

Distributed Audit Trail Model

10PalGov © 2011

Basic Security Auditing Functions

11PalGov © 2011

Definition of Events

• Must define what are auditable events

• Common criteria suggests:– Introduction of objects

– Deletion of objects

– Distribution or revocation of access rights or capabilities

– Changes to subject or object security attributes

– Policy checks performed by the security software

– Use of access rights to bypass a policy check

– Use of identification and authentication functions;

– Security-related actions taken by an operator/user

– Import/export of data from/to removable media

12PalGov © 2011

Implementation Requirements

• Decide requirements management

• Scope of checks to be agreed and controlled

• Checks limited to read-only access to s/w & data

• Identified resources for performing the checks

• Identify special requirements

• Monitor /Log all access

• Use DOCUMENT procedures,

13PalGov © 2011

Collected Information

• Decide on amount of generated data

– Size vs quality

• Data items captured may include:

– Operating system access (system calls)

– Use of system security mechanisms

– Auditing software use

– Remote access

– Events from IDS and firewall systems

– System management / operation events

– Access to selected applications

– Others…

14PalGov © 2011

Audit Trails on System Level

• Useful to categorize audit trails

• System-level audit trails

– See MS System event viewer.

15PalGov © 2011

Application-Level Audit Trails

• to detect security violations within an application

• to detect flaws in application's system interaction

• for critical / sensitive applications, e.g. email, DB

– See MS Application event viewer.

16PalGov © 2011

User-Level Audit Trails

• Trace activity of individual users over time

– To hold user accountable for actions taken

– As input to an analysis program that attempts to define normal versus anomalous behavior

– See ms system and security event viewers.

17PalGov © 2011

Physical-Level Audit Trails

• Generated by physical access controls

– E.G. Card-key systems, alarm systems

• Sent to central host for analysis /

storage

• Used in many ministries and

organizations in Palestine

18PalGov © 2011

Example 1: Windows Event Log

• Each event an entity that describes some

interesting occurrence and

– Each event record contains:

• Numeric id, set of attributes, optional user data

– Presented as XML or binary data

• Have three types of event logs:

– System - system related apps & drivers

– Application - user-level apps

– Security - windows LSA

19PalGov © 2011

Windows Event Categories

• Account logon events

• Account management

• Directory service access

• Logon events

• Object access

• Policy changes

• Privilege use

• Process tracking

• System events

20PalGov © 2011

Example 1: Windows Event Log Demo

• SEE DEMO

21PalGov © 2011

Example 2: UNIX Syslog

• UNIX's general-purpose logging mechanism

– found on all UNIX / Linux variants

– but with variants in facility and log format

22PalGov © 2011

Syslog Service

• Basic service provides:

– A means of capturing relevant events

– A storage facility

– A protocol for transmitting syslog messages

from other hosts to a central syslog server

• Extra add-on features may include:

– Robust filtering, log analysis, event response,

alternative message formats, log file

encryption, database storage, rate limiting

23PalGov © 2011

Syslog Protocol

• A transport allowing hosts to send IP event

notification messages to syslog servers

– Provides a very general message format

– Allowing processes / apps to use suitable

conventions for their logged events

– Can be plain or encrypted

24PalGov © 2011

Unix Syslog Examples

Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2

Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2

Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!

Mar 1 07:26:28 server1 sshd[22572]: Accepted publickey for server2 from 172.30.128.115 port 30606 ssh2

Mar 1 07:28:33 server1 su: BAD SU kPPU to root on /dev/ttyp2

Mar 1 07:28:41 server1 su: kPPU to root on /dev/ttyp2

25PalGov © 2011

Logging at Application Level

• privileged applications have security issues– which system/user-level audit data may not see

– a large percentage of reported vulnerabilities

– e.g. failure to adequately check input data, application logic errors

• hence need to capture detailed behavior

• applications can be written to create audit data

26PalGov © 2011

Tutorial 5:

Information Security

Session 12: Auditing and Wireless

Security

Session 12 Outline:

• Security Auditing

• Break

• Wireless Security Protocols

27PalGov © 2011

Introduction to Wireless Security Protocols.

• Introduction Wireless and Wireless

Standards

• Authentication and Association

• WEP and WPA Security Protocols

• Other Wireless Network Security Issues

28PalGov © 2011

Différent Wireless Standards

• Used radio frequencies: – 2.4GHZ (b, g, n)

– 5GHZ (a, n)

• Wi-fi , wireless LAN and IEEE802.11– Wi-fi:

• Industry standard proposed by the wi-fi alliance which implements the (drafts of, slightly modified) IEEE802.11 standards

– Wireless LAN: • A general term used for wireless short range, high-

speed radio networks

– IEEE802.11: • A standard defining a type of wireless connection

29PalGov © 2011

Wireless LAN Standards

• IEEE 802.11

– Original wireless LAN

standard

– Up to 2Mbps in the 2.4GHz

band

– Security: WEP & WPA

• IEEE 802.11b

– Up to 11Mbps in the 2.4GHz

band

– Security: WEP & WPA

– "Wi-Fi Certified"

• IEEE 802.11a

– Up to 54Mbps in the

5GHz band

– Security: WEP & WPA

– "Wi-Fi Certified"

• IEEE 802.11g

– Up to 54Mbps in the

2.4GHz band

– Security: WEP & WPA

– "Wi-Fi Certified"

30PalGov © 2011

Service Set Identifier

• SSID

– 2-32 byte alphanumeric sequence of

characters

– Uniquely names a WLAN,

– Case sensitive and is

– Encoded in plain text.

31PalGov © 2011

Beacons

• Beacons

– Information frame sent by an AP.

– Approximately 50-bytes:

• Timestamp

• Beacon interval

• Capability info

• Service set identifier

32PalGov © 2011

Wireless Authentication and Association

• Wireless authentication

– A means to establish or prove identity to wireless

access points

– Verifying eligibility of users, devices, or

applications.

– Only authorized clients are allowed to gain access

to the wireless network.

• Wireless Association

– The binding of a wireless network client to an

access point before starting data transfer.

33PalGov © 2011

Wireless Connection Steps and States

• Connection Process

– First: Authentication Phase

• Open System Authentication

• Shared Key Authentication

– Second: Association Phase

• The Connection Process has 3 States:

– Authenticated and Associated

– Authenticated and Unassociated

– Unauthenticated and Unassociated

34PalGov © 2011

System Authentication

• Open System Authentication

– Default

– Authentications based on sending empty / null

string SSID

– Receiving station, (AP) sends acknowledgment

• Closed System

– Authentications based only on SSID

– Receiving station, (AP) sends acknowledgment

35PalGov © 2011

Shared Key Authentication

• Shared Key

– IEEE 802.11 Wireless Equivalent Privacy,

(WEP).

– Authentications based on Text and WEP Keys.

– Challenge – Response Scheme

36PalGov © 2011

802.1x and EAP

• 802.1x :

– a port-level access control protocol,

– provides a security framework for IEEE networks,

– including Ethernet and wireless networks.

• EAP - Extensible Authentication Protocol,

– sits inside of PPP's authentication protocol

– provides a framework for many authentication methods.

37PalGov © 2011

Wired Equivalent Privacy (WEP)

• 802.11b standard.

• A secret key is shared between stations and

an access point.

• The secret key is used to encrypt data packets

• Uses Integrity check

• Logical service is located within the MAC layer.

• Provided are :– Confidentiality;

– Authentication;

– Access control in conjunction with layer management.

38PalGov © 2011

WEP Properties

• Reasonably strong (RC4) !!!! (breakable?)

• Self-synchronizing, Efficient and May be

exportable

• Optional

39PalGov © 2011

WEP IV and Secret Keys

• 802.11b

– 64-bit shared RC4 Key. 24-bit IV plus a 40-bit

Secret Key.

– 128-bit shared RC4 Key. 24/104

– 152-bit shared RC4 Key. 24/128

IV

24 - bits

Secret Key

40 - bits

PRNG Seed

40PalGov © 2011

WEP Key Servers

• Advantages of Key

Servers

– Centralized key

generation

– Centralized key

distribution

– Ongoing key rotation

– Reduced key

management overhead.

41PalGov © 2011

WEP Key Weaknesses

• Small key size (40 bit)

• Simple Key management

• Too small IV vectors.

24-bit = 16,777,216 different cipher streams.

• Weak ICV algorithm (CRC-32)

• Authentication messages can be easily faked.

42PalGov © 2011

IEEE 802.11i and WPA

• Overview

• IEEE 802.11 task group I:

• Specification for robust security– Robust security network (RSN):

– Implements only the new mechanisms proposed by the 802.11i

– Transitional security network (TSN):

– Allows RSN and WEP to cooperate

– Generally 802.11i is used to designate both of them

• WI-FI– Wireless protected access (WPA)

– Adopts a subset of 802.11i specifications

– Extensions added

43PalGov © 2011

IEEE 802.11i Features

• Separation of security services

– Avoids that a security services relies on each

other.

– Uses different mechanisms

• Use of session keys

– Master key is never used for encryption

• Use of existing standards

– Already tested, more robust

44PalGov © 2011

Key usage for IEEE 802.11i

• Use of master and temporal keys

• WPA Master keys are generated while

authentication.

• Temporal keys are generated using the

master key once the STA is authenticated

• Temporal keys are short life keys

45PalGov © 2011

IEEE 802.11i: Security Services

A. Authentication: mutual authentication between the STA and the network

– Personal: pre-shared keys (WPA-PSK , passwords)– Enterprise: IEEE802.1X (EAP, RADIUS)

B. Confidentiality and Data Integrity– Key distribution using EAPOL, 802.1X– TKIP: Temporal Key Integrity Protocol– CCMP: Counter-Mode CBC-MAC Protocol

C. Access Control: ensures that only legitimate users access the network

– Entirely based on the authentication result– Implemented at the AP

» This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.”

46PalGov © 2011

Enterprise Authentication

• The WPA-PSK is not efficient

• Enterprise suite:

– 802.1x: allows limiting the access to the network to EAP

traffic until the authentication is done

– EAP: carries authentication exchanges

• EAPOL-Key packets are used to distribute the session keys

after successful authentication

• Originally designed for dial-up connections

– Runs over 802.1x inside a LAN

– Runs over RADIUS outside the LAN

– RADIUS: the RADIUS server holds the users’

credentials» This slide is taken from “Hani Ragab Hassen Lecture Notes,

Kent University.”

47PalGov © 2011

IEEE802.1X, EAP and RADIUS

This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.”

Supplicant Auth Serve

48PalGov © 2011

Extensible Authentication Protocol (EAP)

• Extensible Authentication Protocol (RFC2284)

• Used between the authentication server (AS) and the supplicant, the authenticator forwards EAP messages

• Middle messages are defined for each authentication method– Transport Layer Security (TLS)

– Tunneled TLS (TTLS)

– Kerberos

• Mutual Authentication is possible

49PalGov © 2011

IEEE802.1X for IEEE802.11

• Three involved entities:

1.Supplicant: the STA which needs to have

access, initiates the authentication

2.Authenticator: gate controller (AP)

3.Authentication Server (AS): decides whether

to grant the supplicant the access or not

according to the information transmitted by the

authenticator

50PalGov © 2011

EAP and 802.1X

• EAP was designed originally for dial-up

authentication

– Not adapted for LAN

• The 802.1X defines EAP over LAN (EAPOL)

– EAPOL-Packet: encapsulates EAP packets

– EAPOL-Start: allows local authenticators discovering

– EAPOL-Key: transports keys after successful

authentication

– EAPOL-Logoff: sent by the supplicant to disconnect

51PalGov © 2011

RADIUS: Why?

• EAPOL can not transport EAP packets over an IP

network

• A secure channel should be used

• EAP over RADIUS (RFC2869:EAP Extensions)

• Remote Access Dial-In User Service (RFC2865)

• A central authentication server + local

authenticators

– As in IEEE802.11

– Designed firstly to be used by Internet Service Providers

(ISP)

52PalGov © 2011

RADIUS: How?

53PalGov © 2011

Fitting it all together !

Supplicant Auth Serv.

54PalGov © 2011

802.11

Security

Protocols

WPA WPA2

WEP 802.11i

Perso

nal

Enterprise Personal Enterprise

Authenticatio

n

PSK

802.1X/

EAP/

RadiusPSK

802.1X/

EAP/

RadiusPSK

802.1X/

EAP

Radius (O)

Data

Encryption

TKIP TKIP CCMP/

TKIP(O)

CCMP/

TKIP(O)

WEP CCMP/

TKIP

802.11 Security Protocols

55PalGov © 2011

Wireless Packet / Data Filtering

• Blocking unwanted traffic.

• Three basic types of filtering:

– SSID Filtering

– MAC Address Filtering

– Protocol Filtering

56PalGov © 2011

Attacks on WLANs

• Some attack methods:

– Passive Attacks (Eavesdropping)

– Active Attacks

• Jamming Attacks

• Man-in-the-middle Attacks

57PalGov © 2011

Emerging Security Solutions

• WEP Key Management

• Wireless VPNs

• TKIP

• AES

• Wireless Gateways

• 802.1X and EAP

• Policies

• Etc…

58PalGov © 2011

Wireless VPN

• VPN

– Virtual private network.

– Private network link carried on a public

network

– Uses tunnelling

– Utilizes encryption techniques

59PalGov © 2011

Roaming

• Roaming

– ability for a user to function when the serving

network is different from their home network.

– The process of a client moving from one area

or AP to another while maintaining a data link.

• Mobile IP

– allows users with mobile devices whose IP

addresses are associated with one network to

stay connected when moving to another

network with a different IP.

60PalGov © 2011

Roaming and Mobility

61PalGov © 2011

VPN Use in Roaming

• Wireless VPN implemented by two

methods:

– A centralized VPN server (Hardware/ software)

– A distributed set of VPN servers

• Can be located in the AP with RADIUS support

62PalGov © 2011

Corporate Security Policy

• Develop a wireless security policy

– define what is and what is not allowed with

wireless technology.

• Measure the basic field coverage of the

wireless network.

• Know the technologies and the users that

use the network.

• Physical Security

63PalGov © 2011

Corporate Security Policy

• Set base lines and perform

audits/monitoring of the network.

• Harden AP’s, servers, and gateways.

• Determine level of security protocols

and standards.

• Consider using switches, DMZ, RADIUS

servers, and VPN.

• Update firmware and software.

64PalGov © 2011

Securing WLAN Policies

• If possible, put the wireless network behind its own routed interface so you can shut it off if necessary.

• Pick a random SSID that gives nothing about your network.

• Set your AP to 'Closed Network'.

• Set the authentication method to 'Open'.• Have your broadcast keys rotate every few minutes.

• Use 802.1X for key management and authentication

– Look over the available EAP protocols and decide which is right for your environment.

– Set the session to time out every few minutes.

65PalGov © 2011

References

1. Computer Security: Principles and

Practice, by William Stallings and

Lawrie Brown. Published by

Pearson/Prentice Hall, © 2008. ISBN:

0-13-600424-5.

2. Cisco CWNA Course

3. Dr. Hani Ragab Hassen Lecture

Notes, Kent University.

66PalGov © 2011

Summary

• In this session we discussed the following:

– Introduced need for security auditing

– Audit model, functions, requirements

– Security audit trails

– Implementing logging and analysis.

– Overview of wireless networking and standards

– Wireless security protocols and policies

67PalGov © 2011

Thanks

Radwan Tahboub