e gov security_tut_session_12
DESCRIPTION
TRANSCRIPT
1PalGov © 2011
أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Sessions 12
2PalGov © 2011
About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
University of Trento, Italy
University of Namur, Belgium
Vrije Universiteit Brussel, Belgium
TrueTrust, UK
Birzeit University, Palestine
(Coordinator )
Palestine Polytechnic University, Palestine
Palestine Technical University, PalestineUniversité de Savoie, France
Ministry of Local Government, Palestine
Ministry of Telecom and IT, Palestine
Ministry of Interior, Palestine
Project Consortium:
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 [email protected]
3PalGov © 2011
© Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
4PalGov © 2011
Tutorial 5:
Information Security
Session 12: Auditing and Wireless
Security
Session 12 Outline:
• Security Auditing• Break
• Wireless Security Protocols
5PalGov © 2011
Tutorial 5:
Session 12: Auditing
This session will contribute to the following
ILOs:• A: Knowledge and Understanding
a2: Defines security standards and policies.
• B: Intellectual Skillsb3: Design end-to-end secure and available systems.
• D: General and Transferable Skillsd2: Systems configurations.
d3: Analysis and identification skills.
6PalGov © 2011
Security Audit
• Auditing used on the security of an organization’s information system (IS) assets.
• Definition– “An independent review and examination of a system's records and
activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.” [from RFC2828.]
7PalGov © 2011
Security Audit Trail
• Definition
– “A chronological record of system activities that
is sufficient to enable the reconstruction and
examination of the sequence of environments
and activities surrounding or leading to an
operation, procedure, or event in a security-
relevant transaction from inception to final
results” [from RFC2828].
8PalGov © 2011
Security Audit Architecture
9PalGov © 2011
Distributed Audit Trail Model
10PalGov © 2011
Basic Security Auditing Functions
11PalGov © 2011
Definition of Events
• Must define what are auditable events
• Common criteria suggests:– Introduction of objects
– Deletion of objects
– Distribution or revocation of access rights or capabilities
– Changes to subject or object security attributes
– Policy checks performed by the security software
– Use of access rights to bypass a policy check
– Use of identification and authentication functions;
– Security-related actions taken by an operator/user
– Import/export of data from/to removable media
12PalGov © 2011
Implementation Requirements
• Decide requirements management
• Scope of checks to be agreed and controlled
• Checks limited to read-only access to s/w & data
• Identified resources for performing the checks
• Identify special requirements
• Monitor /Log all access
• Use DOCUMENT procedures,
13PalGov © 2011
Collected Information
• Decide on amount of generated data
– Size vs quality
• Data items captured may include:
– Operating system access (system calls)
– Use of system security mechanisms
– Auditing software use
– Remote access
– Events from IDS and firewall systems
– System management / operation events
– Access to selected applications
– Others…
14PalGov © 2011
Audit Trails on System Level
• Useful to categorize audit trails
• System-level audit trails
– See MS System event viewer.
15PalGov © 2011
Application-Level Audit Trails
• to detect security violations within an application
• to detect flaws in application's system interaction
• for critical / sensitive applications, e.g. email, DB
– See MS Application event viewer.
16PalGov © 2011
User-Level Audit Trails
• Trace activity of individual users over time
– To hold user accountable for actions taken
– As input to an analysis program that attempts to define normal versus anomalous behavior
– See ms system and security event viewers.
17PalGov © 2011
Physical-Level Audit Trails
• Generated by physical access controls
– E.G. Card-key systems, alarm systems
• Sent to central host for analysis /
storage
• Used in many ministries and
organizations in Palestine
18PalGov © 2011
Example 1: Windows Event Log
• Each event an entity that describes some
interesting occurrence and
– Each event record contains:
• Numeric id, set of attributes, optional user data
– Presented as XML or binary data
• Have three types of event logs:
– System - system related apps & drivers
– Application - user-level apps
– Security - windows LSA
19PalGov © 2011
Windows Event Categories
• Account logon events
• Account management
• Directory service access
• Logon events
• Object access
• Policy changes
• Privilege use
• Process tracking
• System events
20PalGov © 2011
Example 1: Windows Event Log Demo
• SEE DEMO
21PalGov © 2011
Example 2: UNIX Syslog
• UNIX's general-purpose logging mechanism
– found on all UNIX / Linux variants
– but with variants in facility and log format
22PalGov © 2011
Syslog Service
• Basic service provides:
– A means of capturing relevant events
– A storage facility
– A protocol for transmitting syslog messages
from other hosts to a central syslog server
• Extra add-on features may include:
– Robust filtering, log analysis, event response,
alternative message formats, log file
encryption, database storage, rate limiting
23PalGov © 2011
Syslog Protocol
• A transport allowing hosts to send IP event
notification messages to syslog servers
– Provides a very general message format
– Allowing processes / apps to use suitable
conventions for their logged events
– Can be plain or encrypted
24PalGov © 2011
Unix Syslog Examples
Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!
Mar 1 07:26:28 server1 sshd[22572]: Accepted publickey for server2 from 172.30.128.115 port 30606 ssh2
Mar 1 07:28:33 server1 su: BAD SU kPPU to root on /dev/ttyp2
Mar 1 07:28:41 server1 su: kPPU to root on /dev/ttyp2
25PalGov © 2011
Logging at Application Level
• privileged applications have security issues– which system/user-level audit data may not see
– a large percentage of reported vulnerabilities
– e.g. failure to adequately check input data, application logic errors
• hence need to capture detailed behavior
• applications can be written to create audit data
26PalGov © 2011
Tutorial 5:
Information Security
Session 12: Auditing and Wireless
Security
Session 12 Outline:
• Security Auditing
• Break
• Wireless Security Protocols
27PalGov © 2011
Introduction to Wireless Security Protocols.
• Introduction Wireless and Wireless
Standards
• Authentication and Association
• WEP and WPA Security Protocols
• Other Wireless Network Security Issues
28PalGov © 2011
Différent Wireless Standards
• Used radio frequencies: – 2.4GHZ (b, g, n)
– 5GHZ (a, n)
• Wi-fi , wireless LAN and IEEE802.11– Wi-fi:
• Industry standard proposed by the wi-fi alliance which implements the (drafts of, slightly modified) IEEE802.11 standards
– Wireless LAN: • A general term used for wireless short range, high-
speed radio networks
– IEEE802.11: • A standard defining a type of wireless connection
29PalGov © 2011
Wireless LAN Standards
• IEEE 802.11
– Original wireless LAN
standard
– Up to 2Mbps in the 2.4GHz
band
– Security: WEP & WPA
• IEEE 802.11b
– Up to 11Mbps in the 2.4GHz
band
– Security: WEP & WPA
– "Wi-Fi Certified"
• IEEE 802.11a
– Up to 54Mbps in the
5GHz band
– Security: WEP & WPA
– "Wi-Fi Certified"
• IEEE 802.11g
– Up to 54Mbps in the
2.4GHz band
– Security: WEP & WPA
– "Wi-Fi Certified"
30PalGov © 2011
Service Set Identifier
• SSID
– 2-32 byte alphanumeric sequence of
characters
– Uniquely names a WLAN,
– Case sensitive and is
– Encoded in plain text.
31PalGov © 2011
Beacons
• Beacons
– Information frame sent by an AP.
– Approximately 50-bytes:
• Timestamp
• Beacon interval
• Capability info
• Service set identifier
32PalGov © 2011
Wireless Authentication and Association
• Wireless authentication
– A means to establish or prove identity to wireless
access points
– Verifying eligibility of users, devices, or
applications.
– Only authorized clients are allowed to gain access
to the wireless network.
• Wireless Association
– The binding of a wireless network client to an
access point before starting data transfer.
33PalGov © 2011
Wireless Connection Steps and States
• Connection Process
– First: Authentication Phase
• Open System Authentication
• Shared Key Authentication
– Second: Association Phase
• The Connection Process has 3 States:
– Authenticated and Associated
– Authenticated and Unassociated
– Unauthenticated and Unassociated
34PalGov © 2011
System Authentication
• Open System Authentication
– Default
– Authentications based on sending empty / null
string SSID
– Receiving station, (AP) sends acknowledgment
• Closed System
– Authentications based only on SSID
– Receiving station, (AP) sends acknowledgment
35PalGov © 2011
Shared Key Authentication
• Shared Key
– IEEE 802.11 Wireless Equivalent Privacy,
(WEP).
– Authentications based on Text and WEP Keys.
– Challenge – Response Scheme
36PalGov © 2011
802.1x and EAP
• 802.1x :
– a port-level access control protocol,
– provides a security framework for IEEE networks,
– including Ethernet and wireless networks.
• EAP - Extensible Authentication Protocol,
– sits inside of PPP's authentication protocol
– provides a framework for many authentication methods.
37PalGov © 2011
Wired Equivalent Privacy (WEP)
• 802.11b standard.
• A secret key is shared between stations and
an access point.
• The secret key is used to encrypt data packets
• Uses Integrity check
• Logical service is located within the MAC layer.
• Provided are :– Confidentiality;
– Authentication;
– Access control in conjunction with layer management.
38PalGov © 2011
WEP Properties
• Reasonably strong (RC4) !!!! (breakable?)
• Self-synchronizing, Efficient and May be
exportable
• Optional
39PalGov © 2011
WEP IV and Secret Keys
• 802.11b
– 64-bit shared RC4 Key. 24-bit IV plus a 40-bit
Secret Key.
– 128-bit shared RC4 Key. 24/104
– 152-bit shared RC4 Key. 24/128
IV
24 - bits
Secret Key
40 - bits
PRNG Seed
40PalGov © 2011
WEP Key Servers
• Advantages of Key
Servers
– Centralized key
generation
– Centralized key
distribution
– Ongoing key rotation
– Reduced key
management overhead.
41PalGov © 2011
WEP Key Weaknesses
• Small key size (40 bit)
• Simple Key management
• Too small IV vectors.
24-bit = 16,777,216 different cipher streams.
• Weak ICV algorithm (CRC-32)
• Authentication messages can be easily faked.
42PalGov © 2011
IEEE 802.11i and WPA
• Overview
• IEEE 802.11 task group I:
• Specification for robust security– Robust security network (RSN):
– Implements only the new mechanisms proposed by the 802.11i
– Transitional security network (TSN):
– Allows RSN and WEP to cooperate
– Generally 802.11i is used to designate both of them
• WI-FI– Wireless protected access (WPA)
– Adopts a subset of 802.11i specifications
– Extensions added
43PalGov © 2011
IEEE 802.11i Features
• Separation of security services
– Avoids that a security services relies on each
other.
– Uses different mechanisms
• Use of session keys
– Master key is never used for encryption
• Use of existing standards
– Already tested, more robust
44PalGov © 2011
Key usage for IEEE 802.11i
• Use of master and temporal keys
• WPA Master keys are generated while
authentication.
• Temporal keys are generated using the
master key once the STA is authenticated
• Temporal keys are short life keys
45PalGov © 2011
IEEE 802.11i: Security Services
A. Authentication: mutual authentication between the STA and the network
– Personal: pre-shared keys (WPA-PSK , passwords)– Enterprise: IEEE802.1X (EAP, RADIUS)
B. Confidentiality and Data Integrity– Key distribution using EAPOL, 802.1X– TKIP: Temporal Key Integrity Protocol– CCMP: Counter-Mode CBC-MAC Protocol
C. Access Control: ensures that only legitimate users access the network
– Entirely based on the authentication result– Implemented at the AP
» This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.”
46PalGov © 2011
Enterprise Authentication
• The WPA-PSK is not efficient
• Enterprise suite:
– 802.1x: allows limiting the access to the network to EAP
traffic until the authentication is done
– EAP: carries authentication exchanges
• EAPOL-Key packets are used to distribute the session keys
after successful authentication
• Originally designed for dial-up connections
– Runs over 802.1x inside a LAN
– Runs over RADIUS outside the LAN
– RADIUS: the RADIUS server holds the users’
credentials» This slide is taken from “Hani Ragab Hassen Lecture Notes,
Kent University.”
47PalGov © 2011
IEEE802.1X, EAP and RADIUS
This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.”
Supplicant Auth Serve
48PalGov © 2011
Extensible Authentication Protocol (EAP)
• Extensible Authentication Protocol (RFC2284)
• Used between the authentication server (AS) and the supplicant, the authenticator forwards EAP messages
• Middle messages are defined for each authentication method– Transport Layer Security (TLS)
– Tunneled TLS (TTLS)
– Kerberos
• Mutual Authentication is possible
49PalGov © 2011
IEEE802.1X for IEEE802.11
• Three involved entities:
1.Supplicant: the STA which needs to have
access, initiates the authentication
2.Authenticator: gate controller (AP)
3.Authentication Server (AS): decides whether
to grant the supplicant the access or not
according to the information transmitted by the
authenticator
50PalGov © 2011
EAP and 802.1X
• EAP was designed originally for dial-up
authentication
– Not adapted for LAN
• The 802.1X defines EAP over LAN (EAPOL)
– EAPOL-Packet: encapsulates EAP packets
– EAPOL-Start: allows local authenticators discovering
– EAPOL-Key: transports keys after successful
authentication
– EAPOL-Logoff: sent by the supplicant to disconnect
51PalGov © 2011
RADIUS: Why?
• EAPOL can not transport EAP packets over an IP
network
• A secure channel should be used
• EAP over RADIUS (RFC2869:EAP Extensions)
• Remote Access Dial-In User Service (RFC2865)
• A central authentication server + local
authenticators
– As in IEEE802.11
– Designed firstly to be used by Internet Service Providers
(ISP)
52PalGov © 2011
RADIUS: How?
53PalGov © 2011
Fitting it all together !
Supplicant Auth Serv.
54PalGov © 2011
802.11
Security
Protocols
WPA WPA2
WEP 802.11i
Perso
nal
Enterprise Personal Enterprise
Authenticatio
n
PSK
802.1X/
EAP/
RadiusPSK
802.1X/
EAP/
RadiusPSK
802.1X/
EAP
Radius (O)
Data
Encryption
TKIP TKIP CCMP/
TKIP(O)
CCMP/
TKIP(O)
WEP CCMP/
TKIP
802.11 Security Protocols
55PalGov © 2011
Wireless Packet / Data Filtering
• Blocking unwanted traffic.
• Three basic types of filtering:
– SSID Filtering
– MAC Address Filtering
– Protocol Filtering
56PalGov © 2011
Attacks on WLANs
• Some attack methods:
– Passive Attacks (Eavesdropping)
– Active Attacks
• Jamming Attacks
• Man-in-the-middle Attacks
57PalGov © 2011
Emerging Security Solutions
• WEP Key Management
• Wireless VPNs
• TKIP
• AES
• Wireless Gateways
• 802.1X and EAP
• Policies
• Etc…
58PalGov © 2011
Wireless VPN
• VPN
– Virtual private network.
– Private network link carried on a public
network
– Uses tunnelling
– Utilizes encryption techniques
59PalGov © 2011
Roaming
• Roaming
– ability for a user to function when the serving
network is different from their home network.
– The process of a client moving from one area
or AP to another while maintaining a data link.
• Mobile IP
– allows users with mobile devices whose IP
addresses are associated with one network to
stay connected when moving to another
network with a different IP.
60PalGov © 2011
Roaming and Mobility
61PalGov © 2011
VPN Use in Roaming
• Wireless VPN implemented by two
methods:
– A centralized VPN server (Hardware/ software)
– A distributed set of VPN servers
• Can be located in the AP with RADIUS support
62PalGov © 2011
Corporate Security Policy
• Develop a wireless security policy
– define what is and what is not allowed with
wireless technology.
• Measure the basic field coverage of the
wireless network.
• Know the technologies and the users that
use the network.
• Physical Security
63PalGov © 2011
Corporate Security Policy
• Set base lines and perform
audits/monitoring of the network.
• Harden AP’s, servers, and gateways.
• Determine level of security protocols
and standards.
• Consider using switches, DMZ, RADIUS
servers, and VPN.
• Update firmware and software.
64PalGov © 2011
Securing WLAN Policies
• If possible, put the wireless network behind its own routed interface so you can shut it off if necessary.
• Pick a random SSID that gives nothing about your network.
• Set your AP to 'Closed Network'.
• Set the authentication method to 'Open'.• Have your broadcast keys rotate every few minutes.
• Use 802.1X for key management and authentication
– Look over the available EAP protocols and decide which is right for your environment.
– Set the session to time out every few minutes.
65PalGov © 2011
References
1. Computer Security: Principles and
Practice, by William Stallings and
Lawrie Brown. Published by
Pearson/Prentice Hall, © 2008. ISBN:
0-13-600424-5.
2. Cisco CWNA Course
3. Dr. Hani Ragab Hassen Lecture
Notes, Kent University.
66PalGov © 2011
Summary
• In this session we discussed the following:
– Introduced need for security auditing
– Audit model, functions, requirements
– Security audit trails
– Implementing logging and analysis.
– Overview of wireless networking and standards
– Wireless security protocols and policies
67PalGov © 2011
Thanks
Radwan Tahboub