Wireless Security Basics - PowerPoint PPT Presentation

1 / 38

About This Presentation

Title:

Wireless Security Basics

Description:

... that WIFI client growth (laptops, PDA's and phones) is around 65% per year ... such as Ad-aware and Spybot Search and Destroy that can certainly help with ... – PowerPoint PPT presentation

Number of Views:78

Avg rating:3.0/5.0

Slides: 39

Provided by: thomasto

Category:

more less

Transcript and Presenter's Notes

Title: Wireless Security Basics

1
Wireless Security Basics

Thomas Torgerson, CISSP
October 24th, 2005

2
Topics At A Glance

Which wireless are we talking about?
Some interesting statistics
Some questions to ponder
Common Wireless 802.11 Terms
802.11 standards and risks
Wireless in the news
Reasons for wireless attacks and who those
attackers are

3
Topics At AGlance - Continued

Proving an attack ever happened
Issues with small companies deploying wireless
Home Wireless Security - The Basics
Home Wireless Security - Facts Advice
Securing corporate wireless
Rogue access points and prevention
Wireless assessments
Useful links

4
Which Wireless Are We Talking About?

802.11x - the one being used by you, your
neighbor, the local coffee shop, etc.
It is also being heavily deployed in larger
cities by large companies such as Google,
Verizon, etc.
Not BlueTooth
Not Cellular
Not InfraRed

5
Some Interesting Statistics

One study stated that WIFI client growth
(laptops, PDAs and phones) is around 65 per
year
Gartner predicts that by 2006, frequent users of
public WIFI spots will exceed 4 Million in North
America alone
JiWire reports over 77k WIFI hotspots in 103
countries
Increased over 6k since mid September
Security Related
Normally less than 30 of APs have WEP enabled
Approximately 20 use default SSID
Lack of education is the largest reason for
insecure wireless deployments!!
Note These statistics include a large of
businesses, even IT based companies and
government agencies.

6
Some Questions To Ponder

What kind of data do you have crossing that WLAN
connection?
Are you at risk for data loss, manipulation,
destruction or even identity theft?
Do you know if anyone has sniffed the traffic on
your WLAN?
Have you noticed anyone outside or near the WLAN
that had a pringles can in hand and a laptop in
the other? - If so, did you give them a strange
look and wonder why the pringles can?
Are you scared YET?

7
Common 802.11Wireless Terms

Access Point - wireless to wired world - bridging
Station - devices with wireless network
interfaces
Wireless Medium - radio frequency physical layers
Distribution System - underlying infrastructure
Infrastructure - clients to AP communication
Independent or ad-hoc - client to client
communication
WEP - wireless equivalent privacy - many
weaknesses
802.1X - device based authentication
TKIP - Temporal Key Integrity Protocol -
immediate help to address common WEP issues
WPA - WIFI Protected Access - Interim solution
from the WIFI Alliance while 802.11i was being
developed

8
802.11 Standards

Remember that vendors drive many of these
standards
802.11 began as a IEEE standard way back in 1997
802.11a/b/g - established and many extensions
exist
802.11e - QoS extentions for WLANs
802.11i - some security enhancements - namely
support for AES and 802.1X
802.11.k - control power output of clients
Anyone know why this is important?

9
802.11 StandardsIn Use Today

RF communication has been around for decades
First standard adopted in 1997 - 2.4GHz band -
802.11 - up to 2Mbps
802.11a - 5GHz band - 1999 but no products till
late 2000 - up to 54Mbps
802.11b - 2.4GHz band - 1999 - most widely
deployed - up to 11Mbps
802.11g - 2.4GHz band - 2003 - backwards
compatible - up to 54Mbps
Anyone know what other kind of devices operate in
the 2.4GHz band?

10
802.11 Risks

Physical location
Signal leakage and overlap
Open authentication - SSID based authentication
RF Jamming - CSMA\CA Physical layer
Data flooding
Hijacking
Protocol weaknesses

11
Wireless In The News

In April, a man was arrested in Florida for using
a wireless connection without permission.
Still another was arrested and found guilty and
in this case, fined for use of a wireless network
without permission.
In July, a man in the UK was found guilty and
fined for using a wireless connection without
permission.
Find additional information at
http//www.theregister.co.uk/

12
Reasons For Wireless Attacks

Fun and Intriguing - for those geeky kinds
Anonymous access for hacking makes it difficult
to track
It is free bandwidth!!!
Out of band lateral attacks against corporate
networks

13
Who The Attackers Are

Curious People Like them and use them, for they
are our friends. If they had bad intentions,
they would not inform us of our security issues.
Bandwidth Snatchers - You can dislike these as
they are normally those that are too lazy to find
a public hotspot or even just pesky script
kiddies doing no one any favors. Either way,
they are disliked.
Black Hats - Be worried about these try not to
let them know that you dislike them as this only
motivates them more. For those who are in
security, these are the people that keep us White
Hats in business.

14
Proving An Attack Ever Happened

This can prove very interesting and challenging
The attacker can spoof MAC address and then
change after the attack took place.
The attacker can remove the tools used during the
attack - wipe their system clean of any trace.
If the attacker is physically on public property
(property not owned by you), you cannot force
them to hand over their cool equipment they used
for the attack while law enforcement is called to
the rescue - they can simply walk away while they
wipe their cool system clean of any trace. -)

15
Issues With Small Companies Deploying Wireless

Issues are very obvious but most of the time
overlooked
System Admin is overloaded with work and it must
be done immediately to make someone happy
Cheap wireless equipment is used - security not
included - may not support that brand new
standard that was just approved
There is no central authentication server
There is no wireless IDS and no central logging
server
There is no wireless security policy - oh yeah,
not to mention all of the other security policies
missing
There is no funding for having an outside party
audit the deployment

16
Home Wireless Security -The Basics

MAC address filtering
Disable DHCP
Disable SSID broadcast
Use encryption - WEP, WPA/WPA2, etc.
Never use default WEP keys
Use good key management TKIP, manually change
keys frequently, etc.
Change default device passwords
Disable dynamic routing
Do these controls work?

17
Home WirelessSecurity Facts Advice

Only high end DSL/Cable modems provide stateful
firewall functions and in-depth security
controls. Most provide rudimentary firewall
functions built around NAT (network address
translation).
Never share out resources to the external world
from your internal network unless you have a
secondary device that serves as a dedicated
firewall.
Always disable your wireless AP and any clients
when not in use.

18
Home Wireless SecurityFacts Advice Continued

Use WPA if it is supported if not available,
use WEP at a minimum even with its known
weaknesses
Disable all file sharing and any other default
services on all systems participating on the
wireless and wired networks if the services are
not required.
Systems participating on the wireless and wired
networks should have the latest AV signatures,
latest OS application patches and if possible,
a personal firewall configured and running. You
can also pickup free anti-spyware programs such
as Ad-aware and Spybot Search and Destroy that
can certainly help with pesky spyware programs.

19
Securing Corporate Wireless

Site survey is always the very first item
802.1X authentication (supplicant, authenticator
and authentication server)
Reliable and supported EAP method
Access Control Lists or Firewall or both
Why would you do both?
Layer 3 encryption using IPSec Tunneling - PPTP
and L2TP are normally insufficient
Two factor strong authentication
Always perform frequent assessments

20
Site Survey

Should be done both prior to deployment and
intermittently after deployment
Utilize wireless card and AP along with survey
software - Cisco Aironet cards come with survey
software
Tune AP and wireless card transmit/receive power
accordingly
Tune antennas accordingly - both client and AP
when available
End result is to limit RF leakage

21
What is 802.1X?

802.1X
IEEE framework ratified in December 2001
Implemented on network devices and clients at the
link layer
Provides port based access control/authentication
Transports higher level authentication protocols
MAC based filtering and port state monitoring
Is used between the supplicant and the
authenticator
IEE Terms Common Terms
Supplicant Client
Authenticator Network Access Device
Authentication Server AAA/RADIUS Server

22
802.1X - Requirements

Reliable Supplicants 3rd party may be best
since MS is developing their own Network Access
solution (NAP) platform availability is a big
item to consider
Funk Software, MeetingHouse, Cisco, etc.
Authenticator - 802.1X supported network devices
- (APs, switches, routers, etc.)
Authentication server
Microsoft IAS - free with Windows 2003
Cisco ACS - not so free, but plenty of options
Any IETF based RADIUS server
Identity Store - integration
NDS, LDAP, ADS, etc.

23
802.1X Visual
24
EAP Basics

Extensible Authentication Protocol
EAP became a standard in 1998 and was originally
a protocol for PPP authentication supporting
multiple authentication mechanisms
EAP is used to carry the authentication payloads
(referred to as EAP methods)
EAP standard includes only three methods
EAP-MD5 - MD5 hashed username/password
EAP-OTP - one-time passwords
EAP-TLS - strong PKI - mutual authentication
end to end support for what method is chosen
clients AAA server must work well together
Other EAP methods exist also PEAP, EAP-FAST,
EAP-TTLS, EAP-SIM, any many others

25
More On EAP-FAST

EAP-FAST Extensible Authentication Protocol
based Flexible Authentication via Secure
Tunneling
Tunnel is established via symmetric cryptography
using unique client secrets called PACs
(Protected Access Credentials)
Each client has an associated PAC and the PAC is
generated using a master key that periodically
expires (TTL configurable)
EAP-FAST is much faster than methods relying on
PKI due to the shared secret (PAC)

26
More On EAP-FAST Continued

Server certificate required, but no client
certificates required
Not susceptible to dictionary and MitM attacks
Supports LDAP, MS AD, local authentication and
ACS local DB
Also supports MS AD login scripts, MS AD password
changing, fast wireless secure roaming and WPA
Three phases to EAP-FAST
Phase zero - PAC provisioning can either be
done manually or automatically using DH key
exchange MSCHAPv2 protocol is used for user
identification and authentication to provide the
correctly assigned PAC
Phase one - Tunnel establishment PAC is used
as secret key, but still no network level access
is granted
Phase two - Tunnel authentication successful
authentication of the users credentials

27
ACLs Firewalls

Both controls can be used regardless of 802.1X
usage at the AP layer
Firewalls are best, but more costly - state based
ACLs are easy, but very limited - layer 4 limit
with no state support - larger ACLs can cause
utilization
Use ACLs at a minimum - default deny rule - only
permit what is required and deny everything else,
especially IP ranges outside of the segment being
used by the wireless clients
Use firewall if budget permits - wireless should
be treated as an un-trusted segment - ALWAYS!

28
IPSec At A High Level

Standard ratified in the late 90s
Most common protocol used in VPN deployments
Encryption at the IP layer (layer 3)
Provides
Authentication - optional
Data confidentiality through encryption
Integrity of traffic by detecting modified
traffic
Prevention of replay attacks

29
Why IPSec Over Layer 2 Encryption Methods?

IPSec is supported by most all vendors in the
market today (Cisco, CheckPoint, WatchGuard,
Juniper, etc.)
Currently most layer 2 methods require vendor
specific implementations using their hardware to
work as advertised
Specific firmware versions and drivers are
required
Hardware specs change and need upgraded
IPSec allows for
Network card independence
Access point independence

30
Strong Authentication

What are these factors anyway?
What you know - userIDs/passwords
What you have - tokens/smartcards
What you are - biometrics
Single factor (userID/password) has been
insufficient for years
Two factor is easy to implement using proven
products - most common is what you know and what
you have

31
Corporate Wireless Example Diagram
32
Equipment List

Windows laptop 1
Cisco Aironet wireless card
Cisco VPN client
Windows laptop 2
Cisco Secure ACS
Cisco PIX Firewall
Cisco Aironet 1220 AP
Two low end switches

33
Rogue Access Points

Where do they come from?
Associates set them up
Hackers use them from the outside
What are the risks?
Unknown access to network and resources
Unknown usage of network
Unknown access to wireless clients

34
Preventing RogueAccess Points

Corporate Policy - this is always the first step
Physical Security - monitor your environment
Supported WLAN Infrastructure - have one in place
if required for business purposes rather than
waiting on users to install one themselves
802.1X implemented on edge switches - prevents
unknown devices from connecting
Perform frequent wireless assessments with
wireless client, scanning tool and external
antenna - more on this on the next slide

35
Wireless Assessments

What you need
Linux or Mac laptop is best, but Windows will
work in most cases
Wireless card (Aironet, Prism2 or Orinoco are
supported by most all tools) with external
antenna connector
External antenna providing 5Db gain try not to
go higher as this increases the chances of
picking up devices much farther away and may not
be yours to worry about
Scanning tools
WellenReiter, NetStumbler, MacStumbler, Kismet,
KisMAC, etc.
Sniffing tools
Ethereal, tcpdump, windump, etc.
Cracking tools
Airsnort, WPA Cracker, WEPAttack, WEPCrack,
LEAPcracker, etc.