Title: Agenda
1Agenda
- 1000 1100 Securing wireless networks
- 1100 1115 Break
- 1115 1200 Patch Management in the Enterprise
- 1200 100 Lunch
- 100 230 Network Isolation using IPSec and
Group Policies - 230 215 Break
- 215 330 Detecting the Hacker
- 330 QA
2Wireless LAN Security
- Paul Hogan
- Ward Solutions
3Session Prerequisites
- Hands-on experience with Windows 2000 or Windows
Server 2003 - Working knowledge of networking, including basics
of security - Basic knowledge of WLANS
Level 300
4This sessions are about
- about operational security
- The easy way is not always the secure way
- Networks are usually designed in particular ways
- In many cases, these practices simplify attacks
- In some cases these practices enable attacks
- In order to avoid these practices it helps to
understand how an attacker can use them
5This sessions are NOT
- a hacking tutorial
- Hacking networks you own can be enlightening
- HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
- demonstrating vulnerabilities in Windows
- Everything we show stems from operational
security or custom applications - Knowing how Windows operates is critical to
avoiding problems - for the faint of heart
6The Sessions
7The Network
8 Why Does Network Security Fail?
Network security fails in several common areas,
including
- Human awareness
- Policy factors
- Hardware or software misconfigurations
- Poor assumptions
- Ignorance
- Failure to stay up-to-date
9Session Agenda
- WLANs and WLAN issues
- WLAN Deployment models
- Out-of-box
- Block SSID / MAC address filtering
- WEP
- WPA (WPA-PSK)
- WLAN and Windows Server 2003
10Wireless LAN Good News
Cheap, easy to deploy, high performance radio
based technology that does not respect the
physical parameters of a building.
11Wireless LAN Bad News
Cheap, easy to deploy, high performance radio
based technology that does not respect the
physical parameters of a building.
12Wireless LAN
- By 2006, 60 of Fortune 1000 companies will be
deploying wireless networks - By 2010, the majority of Fortune 2000 companies
will be heavily dependent on wireless networks.
Gartner Group 2003
13Wireless Network
And Now a Warning..Corporations turning to
wireless, for operational flexibility without
considering the security issues, may be
carelessly sacrificing the integrity of their
systems
14Lets go for a drive Drive by hacking
- Ward Solutions independent analysis
- Completely non obtrusive
- Tools
- Laptop
- WiFi PCM network card
- Orinoco driver
- Netstumbler software
- Results
- 65 Networks not encrypted
- 55 NO access controls
- 45 Broadcasting network name
15What can be done
- Interception
- Monitoring
- Insertion
- Packet Analysis
- Broadcast Monitoring
- Access Point Cloning
- Jamming
- Denial of Service
- Brute Force
- Reconfiguration
16WLAN Deployment Toaster Install
- Out of Box
- Connected to Network
- Default SSID
- No Security configurations
- Could this be happening to you
17WLAN Deployment SSID / Mac Filtering
- So I blocked SSID and have MAC locking
- Limitations of MAC Address Filtering
- Scalability - Must be administered and propagated
to all APs. List may have a size limit. - No way to associate a MAC to a username.
- User could neglect to report a lost card.
- Attacker could spoof an allowed MAC address.
- SSIDs can be determined even if blocked
18WLAN Deployment WEP
- Limitations of Wired Equivalent Privacy (WEP)
- WEP is inherently weak to due poor key exchange.
- WEP keys are not dynamically changed and
therefore vulnerable to attack. - No method for provisioning WEP keys to clients.
- Generations of WEP
- APs that filter weak IVs
- Change keys frequently
- WEP Cracking tools
- Airsnort
- Dwepcrack
- Aircrack aireplay
19Possible Solutions
- VPN Connectivity
- PPTP
- L2TP
- Third Party
- IPSec
- Many vendors
- Password-based Layer 2 Authentication
- Cisco LEAP
- RSA/Secure ID
- IEEE 802.1x PEAP/MSCHAP v2
- Certificate-based Layer 2 Authentication
- IEEE 802.1x EAP/TLS
20WLAN Security Comparisons
21802.1X
- Defines port-based access control mechanism
- Works on anything, wired and wireless
- Access point must support 802.1X
- No special encryption key requirements
- Allows choice of authentication methods using EAP
- Chosen by peers at authentication time
- Access point doesnt care about EAP methods
- Manages keys automatically
- No need to preprogram wireless encryption keys
22Wi-Fi Protected Access (WPA)
- A specification of standards-based, interoperable
security enhancements that strongly increase the
level of data protection and access control for
existing and future wireless LAN systems - Goals
- Enhanced Data Encryption (TKIP)
- Provide user authentication (802.1x)
- Be forward compatible with (802.11i)
- Provide non-RADIUS solution for Small/Home
offices WPA-PSK - Typically a software upgrade and Wi-Fi Alliance
began certification testing for interoperability
on Wi-Fi Protected Access products in February
2003 - WPA2
23Wi-Fi Protected Access (WPA)
- WEPs IV only 24 bits and so are repeated every
few hours ? WPA increased IV to 24 bits repeated
900 years - WPA alters values acceptable as IVs
- Protects against forgery and replay attacks
- IV formed MAC address
- TSC
- TKIP New password generated every 10,000 packets
- WPA-PSK ? Passphrase
- WPA 802.ii1 recommend 20-character password
- Crack is brute force based
24802.1x and PEAP
25WLAN - 802.1X using EAP/TLS
RADIUS (IAS)
Server Certificate
Domain User/Machine Certificate
3, 5, 7
1, 2, 6
EAP Connection
4
Certification Authority
Laptop
Domain Controller
DHCP
Exchange
File Server
26Best Practices
- Use 802.1x authentication
- Organize wireless users and computers into groups
- Apply wireless access policies using Group Policy
- Use EAP/TLS and 128 bit WEP 802.1x PEAP
- Set clients to force user authentication as well
as machine authentication - Develop a method to manage rogue APs such as LAN
based 802.1x authentication and wireless
sniffers. - Microsoft
- Securing a wireless LAN Security Strategy
- Securing wireless LANs with PEAP and Passwords
27(No Transcript)
28Questions and Answers