May 28, 2012

1.6.5 PEAP

PEAP

Wireless security consists of three components:
  1. The authentication framework
  2. The authentication algorithm
  3. The data privacy or encryption algorithm
Extensible Authentication Protocol (EAP) is a type of authentication algorithm.
EAP is an authentication framework that supports multiple authentication methods. PEAP adds security services to those EAP methods that EAP provides.

Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP is a method to securely transmit authentication information, including passwords, over wireless networks. It was jointly developed by Microsoft, RSA Security and Cisco Systems. It is an IETF open standard. Note that PEAP is not an encryption protocol; as with other EAP types it only authenticates a client into a network.

While many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure since it establishes an encrypted channel between the server and the client.

PEAP provides the security framework for mutual authentication between an EAP client and an EAP server. PEAP is not as secure as Transport Level Security (TLS), but has the advantage of being able to use username/password authentication instead of client certificate authentication.

PEAP authentication occurs as a two-part conversation between the EAP client and the EAP server. In the first part of the conversation, TLS is used to establish a secure channel for use in the second part of the authentication. Once the client authenticates the server and the secure channel is established, the second part of the PEAP conversation begins. In this second part, a complete EAP conversation occurs within the secure channel. PEAP authentication succeeds if both parts of the authentication succeed.

PEAP authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN stations and the authentication server can authenticate themselves. Each station gets an individual encryption key.

PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.

PEAP is considered an enhancement to Lightweight EAP (LEAP )in part because it supports secure mutual authentication.

References:
  • http://www.potaroo.net/ietf/idref/draft-josefsson-pppext-eap-tls-eap/
  • http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_ps4570_Products_White_Paper.html
  • http://msdn.microsoft.com/en-us/library/aa921396.aspx
  • http://searchmobilecomputing.techtarget.com/definition/PEAP-Protected-Extensible-Authentication-Protocol
  • http://wiki.freeradius.org/EAP-PEAP

1.6.7 MAC Filter

MAC filter

MAC addresses are uniquely assigned to each network adapter. Every wireless network adapter has a MAC Address burnt into it.

When a wireless network adapter attempts to access the network, the access point (or router) checks the devices’ MAC address. Using MAC address filtering on a network allows the administrator to permit (or deny) network access to specific network adapter devices. If the MAC address doesn't match what's on the list, no connection is possible.

This security isn't perfect. MAC Address filtering is often referred to as Security through obscurity because while giving some additional protection, MAC filtering can be circumvented by a determined hacker configuring their client to spoof one of the validated MAC addresses. Using MAC Filtering may lead to a false sense of security.

To set up MAC address filtering, the administrator configures a list of network adapter MAC addresses that will be allowed to join the network. Then, each address is entered into the wireless access point.

Once enabled, whenever the wireless access point receives a request to join with the WLAN, it compares the MAC address of that client against the administrator's list. Clients on the list authenticate as normal; clients not on the list are denied any access to the WLAN.


MAC addresses are sent in the clear as required by the 802.11 specification. As a result, in wireless LANs that use MAC address filtering, a network attacker might be able to subvert the MAC filtering (or authentication) process by spoofing a valid MAC address.

MAC address filtering is not bulletproof, however used as an additional layer of defense, it can improve the overall wireless network security profile.


References:
  • http://en.wikipedia.org/wiki/MAC_filtering
  • http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm
  • http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_ps4570_Products_White_Paper.html