security

CTS 175: Wi-Fi Security Updates with Hendrik Lüth

In this episode, we are interviewing Hendrik Lüth on the state of Wi-Fi security today. Hendrik works as a System Engineer for CANCOM in Germany. You can follow him on Twitter @DO9XE and on Linkedin. You can also visit and read his blog at https://linux-nerds.de/.

Agenda

  • Start conversation with the “2018” status of WiFi security
    • WPA2 is widely supported
    • WPA2-Enterprise too complicated for home/guest solutions
    • Headless IoT devices only support PSK, because of hardware limitations
  • MPSK/PPSK/DynPSK
    • Short Recap on 4-way handshake
      • We just need to mention that there is Nonce and a MIC, that’s all 🙂
    • Explanation of how it works and why it’s different with every vendor
    • PPSK from aerohive
      • Use Nonce, MIC and MAC and a list of known keys to find a matching key
      • More information needed, hard to find technical details
    • DynPSK from rukkus
      • One key per MAC, auto detection possible
      • Autodetection probably like aerohive
      • Internal database of the Zone-director
    • MPSK (Multiple PSK) from Aruba
      • Based on a mac-authentication
      • Requires ClearPass Policy Manager
    • Identity PSK from Cisco
  • WPA3
    • WPA3-SAE
      • Dragonfly handshake
    • WPA3-Enterprise 192-bit Mode
      • CNSA Suite B
      • Stronger crypto
  • Enhance Open
    • RFC8110
    • Transition mode
  • Plan from Aruba to bring MPSK with WPA3-SAE into the IEEE Standard
  • Dragonblood Attack by Mathy Vanhoef

Resources

Nyansa Releases Voyance IOT Security

Recently, I was invited into the Nyansa office to take a look at something new being released. With the growth of IoT devices on networks, Nyansa saw an opportunity to provide a comprehensive set of security and device analytics of IoT devices.

Innovations with IoT devices have resulted in shadow IT deployments in enterprises, hospitals, higher education, and more. Many of the IoT devices solve a critical business need but the devices themselves often lack sophisticated security implementation and are susceptible to vulnerabilities.

Voyance IoT Security leverages the same platform driving the Voyance analytics platform. Included with Voyance IoT Security is:

  • Classification of IoT devices
  • Baselining for behavior assessment
  • Automation of security enforcement through 3rd parties such as Cisco ISE or Aruba Clearpass
  • Utilization tracking for further anomaly detection

Nyansa is coming out of the gate with multiple 3rd party integrations which include:

  • NAC and identity systems: Cisco ISE, Aruba/HPE ClearPass, FreeRADIUS, Microsoft RADIUS
  • Security threat control platforms: Cisco’s Platform Exchange Grid (pxGrid). Voyance is a certified solution on the Cisco pxGrid ecosystem
  • Wireless LAN: Cisco, Aruba/HPE, and Extreme Networks
  • CMDB: ServiceNow native integration
  • SIEM: Splunk and others via extensible Voyance platform APIs
  • Netflow
Nyansa Voyance IoT

Links & Resources

Watch the Nyansa Voyance IoT Tour

See everything at Nyansa.com

CTS 155: Security beyond the fi

Security is much more than protecting the wireless frames over the air. We must also protect the infrastructure side, have proper segmentation, and ensure the right role based access. In this episode we speak with Chris Hinsz about security beyond Wi-Fi.

Securing wireless is much more than encryption. We have WPA2, upcoming WPA3 and OWE. But that’s done over the air and with 802.1X.

It goes beyond and into worrying over insecure IoT devices, stolen credentials, compromised employee devices, and more. These are all real security threats which have nothing to do with over-the-air encryption.

In this episode we talk about these security concerns and the pieces needed to secure wireless further:

  • Zero Trust Model
  • Strong segmentation
  • Multi-factor authentication
  • Indication of compromise
  • IoT Visibility

Links and Resources

Security Improvements in Wi-Fi: An Ekahau Webinar

Recently, I had the pleasure of joining Joel and Jerry on an Ekahau webinar. The topic I presented was on Security Improvements in Wi-Fi.

In this webinar, I touch upon three different security improvements:

  • Device Provisioning Protocol
  • Opportunistic Wireless Encryption
  • WPA3

While I go over a general overview of the topics, OWE gets a little detailed because of the frame capture I was able to obtain from Aruba Networks’ live demo from MFD3.

Check out the webinar and let me know what you think in the comments:

CTS 139: Aruba Networks Demos OWE at MFD3

Understanding OWE operation from the Aruba Networks demo presented at MFD3.

Aruba Networks Demos OWE

Opportunistic Wireless Encryption (OWE) is a security improvement coming to open SSIDs. It’s aimed at securing the insecure. We see it everywhere. A Wi-Fi network completely open for clients to join. It’s unencrypted traffic between clients and the AP.

OWE was demoed by Aruba Networks at Mobility Field Day 3 (MFD3) and I was able to capture the frames during the demo. Aruba needed to build a custom supplicant using Ubuntu in order for this demo to work since there are no working clients supporting OWE yet.

There was an AP broadcasting an SSID, MFD-OWE, in OWE Transition Mode.

Aruba Networks OWE Demo from MFD3

OWE Transition Mode SSID

An SSID in OWE Transition Mode will utilize 2 BSSIDs. One for the Open SSID, for clients that do not support OWE, and another BSSID for the OWE-capable SSID. That’s something to keep in mind for OWE Transition Mode.

When most clients support OWE, an SSID strictly supporting OWE can be configured.

In the demo, Aruba Networks created a custom supplicant within Ubuntu since there are no OWE capable clients available. In a Probe Response to the client, there will be an Information Element containing the BSSID and SSID for an OWE-capable client to send a Probe Request to.

OWE Information Element from a Probe Response frame.

OWE Information Element inside the Probe Response

The client sends a Probe Request frame to the OWE SSID, which is a hidden SSID.

Within the Association Request frame, the client will include an RSN Information Element. Within that RSNIE there will be the MFP requirement needed in OWE.

After association a 4-way handshake will follow and when complete, transmissions will be encrypted.

Frame exchange for OWE supported SSID and client.

Frames exchanged to joining an OWE-enabled SSID.

Information you’ll need for the pcap file:

Open SSID: MFD-OWE
BSSID of MFD-OWE: 20:a6:cd:60:00:b0

OWE SSID: _owetm_MFD-OWE2340208851
BSSID: 20:a6:cd:60:00:b1

Client MAC: 9c:b6:d0:d7:ce:dd

Links and Resources