Agenda

1
Agenda

• 1000 1100 Securing wireless networks
• 1100 1115 Break
• 1115 1200 Patch Management in the Enterprise
• 1200 100 Lunch
• 100 230 Network Isolation using IPSec and
  Group Policies
• 230 215 Break
• 215 330 Detecting the Hacker
• 330 QA

2
Wireless LAN Security

• Paul Hogan
• Ward Solutions

3
Session Prerequisites

• Hands-on experience with Windows 2000 or Windows
  Server 2003
• Working knowledge of networking, including basics
  of security
• Basic knowledge of WLANS

Level 300
4
This sessions are about

• about operational security
• The easy way is not always the secure way
• Networks are usually designed in particular ways
• In many cases, these practices simplify attacks
• In some cases these practices enable attacks
• In order to avoid these practices it helps to
  understand how an attacker can use them

5
This sessions are NOT

• a hacking tutorial
• Hacking networks you own can be enlightening
• HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
• demonstrating vulnerabilities in Windows
• Everything we show stems from operational
  security or custom applications
• Knowing how Windows operates is critical to
  avoiding problems
• for the faint of heart

6
The Sessions
7
The Network
8
Why Does Network Security Fail?
Network security fails in several common areas,
including

• Human awareness
• Policy factors
• Hardware or software misconfigurations
• Poor assumptions
• Ignorance
• Failure to stay up-to-date

9
Session Agenda

• WLANs and WLAN issues
• WLAN Deployment models
• Out-of-box
• Block SSID / MAC address filtering
• WEP
• WPA (WPA-PSK)
• WLAN and Windows Server 2003

10
Wireless LAN Good News
Cheap, easy to deploy, high performance radio
based technology that does not respect the
physical parameters of a building.
11
Wireless LAN Bad News
Cheap, easy to deploy, high performance radio
based technology that does not respect the
physical parameters of a building.
12
Wireless LAN

• By 2006, 60 of Fortune 1000 companies will be
  deploying wireless networks
• By 2010, the majority of Fortune 2000 companies
  will be heavily dependent on wireless networks.

Gartner Group 2003
13
Wireless Network
And Now a Warning..Corporations turning to
wireless, for operational flexibility without
considering the security issues, may be
carelessly sacrificing the integrity of their
systems
14
Lets go for a drive Drive by hacking

• Ward Solutions independent analysis
• Completely non obtrusive
• Tools
• Laptop
• WiFi PCM network card
• Orinoco driver
• Netstumbler software
• Results
• 65 Networks not encrypted
• 55 NO access controls
• 45 Broadcasting network name

15
What can be done

• Interception
• Monitoring
• Insertion
• Packet Analysis
• Broadcast Monitoring
• Access Point Cloning
• Jamming
• Denial of Service
• Brute Force
• Reconfiguration

16
WLAN Deployment Toaster Install

• Out of Box
• Connected to Network
• Default SSID
• No Security configurations
• Could this be happening to you

17
WLAN Deployment SSID / Mac Filtering

• So I blocked SSID and have MAC locking
• Limitations of MAC Address Filtering
• Scalability - Must be administered and propagated
  to all APs. List may have a size limit.
• No way to associate a MAC to a username.
• User could neglect to report a lost card.
• Attacker could spoof an allowed MAC address.
• SSIDs can be determined even if blocked

18
WLAN Deployment WEP

• Limitations of Wired Equivalent Privacy (WEP)
• WEP is inherently weak to due poor key exchange.
• WEP keys are not dynamically changed and
  therefore vulnerable to attack.
• No method for provisioning WEP keys to clients.
• Generations of WEP
• APs that filter weak IVs
• Change keys frequently
• WEP Cracking tools
• Airsnort
• Dwepcrack
• Aircrack aireplay

19
Possible Solutions

• VPN Connectivity
• PPTP
• L2TP
• Third Party
• IPSec
• Many vendors
• Password-based Layer 2 Authentication
• Cisco LEAP
• RSA/Secure ID
• IEEE 802.1x PEAP/MSCHAP v2
• Certificate-based Layer 2 Authentication
• IEEE 802.1x EAP/TLS

20
WLAN Security Comparisons
21
802.1X

• Defines port-based access control mechanism
• Works on anything, wired and wireless
• Access point must support 802.1X
• No special encryption key requirements
• Allows choice of authentication methods using EAP
• Chosen by peers at authentication time
• Access point doesnt care about EAP methods
• Manages keys automatically
• No need to preprogram wireless encryption keys

22
Wi-Fi Protected Access (WPA)

• A specification of standards-based, interoperable
  security enhancements that strongly increase the
  level of data protection and access control for
  existing and future wireless LAN systems
• Goals
• Enhanced Data Encryption (TKIP)
• Provide user authentication (802.1x)
• Be forward compatible with (802.11i)
• Provide non-RADIUS solution for Small/Home
  offices WPA-PSK
• Typically a software upgrade and Wi-Fi Alliance
  began certification testing for interoperability
  on Wi-Fi Protected Access products in February
  2003
• WPA2

23
Wi-Fi Protected Access (WPA)

• WEPs IV only 24 bits and so are repeated every
  few hours ? WPA increased IV to 24 bits repeated
  900 years
• WPA alters values acceptable as IVs
• Protects against forgery and replay attacks
• IV formed MAC address
• TSC
• TKIP New password generated every 10,000 packets
• WPA-PSK ? Passphrase
• WPA 802.ii1 recommend 20-character password
• Crack is brute force based

24
802.1x and PEAP
25
WLAN - 802.1X using EAP/TLS
RADIUS (IAS)
Server Certificate
Domain User/Machine Certificate
3, 5, 7
1, 2, 6
EAP Connection
4
Certification Authority
Laptop
Domain Controller
DHCP
Exchange
File Server
26
Best Practices

• Use 802.1x authentication
• Organize wireless users and computers into groups
• Apply wireless access policies using Group Policy
• Use EAP/TLS and 128 bit WEP 802.1x PEAP
• Set clients to force user authentication as well
  as machine authentication
• Develop a method to manage rogue APs such as LAN
  based 802.1x authentication and wireless
  sniffers.
• Microsoft
• Securing a wireless LAN Security Strategy
• Securing wireless LANs with PEAP and Passwords

27
(No Transcript)
28
Questions and Answers