Securing the Wireless LAN

1
Securing the Wireless LAN

• George Ou
• Network Systems Architect
• Contributing editor ZDNet

2
Contents

• Introduction
• Relative risks of Wireless LANs
• Six dumbest ways to secure a WLAN
• Tools of the wireless LAN hacker
• The best ways to secure the WLAN
• SOHO WLAN implementations
• Enterprise WLAN implementations

3
Introduction

• Wireless security is a huge headache in IT
• Wireless security widely misunderstood
• Wireless security is everyones problem even if
  you dont think you have a WLAN
• Banning WLANs often result in improvised home
  grown solutions
• Wireless LANs can be secured
• Wireless security applicable elsewhere in IT

4
Relative risks of Wireless LANs

• Wireless security is NOT an oxymoron
• Less dangerous than having an Internet connection
  direct or indirect
• Attacks from the Internet can come from anywhere
  on the entire globe
• Web/FTP/Mail/DNS Servers
• Back doors R00TK1T5 that can dial home
• Attacks on Wireless LANs are limited to a couple
  of kilometers

5
Six dumbest ways to secure a WLANOverview

• MAC authentication
• SSID hiding
• LEAP authentication
• Disabling DHCP
• Antenna placement and signal suppression
• Switch to 802.11a or Bluetooth Wireless LANs
• ______________________________________
• Dishonorable mention WEP

Original article on http//blogs.zdnet.com/Ou
6
Six dumbest ways to secure a WLANMAC
authentication

• Use of the word authentication is laughable
• All thats happening is MAC address filtering
• MAC addresses are transmitted in clear text
• Extremely easy to capture
• Extremely easy to clone and defeat
• Extremely difficult to manage MAC filtering

7
Six dumbest ways to secure a WLANMAC spoofing
8
Six dumbest ways to secure a WLANSSID hiding

• No such thing as hiding an SSID
• All thats happening is Access Point beacon
  suppression
• Four other SSID broadcasts not suppressed
• Probe requests
• Probe responses
• Association requests
• Re-association requests
• SSIDs must be transmitted in clear text or else
  802.11 cannot function

9
Six dumbest ways to secure a WLANLEAP
authentication

• Cisco LEAP authentication is extremely weak
• LEAP successor EAP-FAST not much better
• Cisco dominates Enterprise WLAN market
• Significant percentage of Cisco shops use LEAP
  but have started to migrate to EAP-TLS
• LEAP and EAP-FAST are free on client side
• Only Cisco can sell LEAP and EAP-FAST on Access
  Points
• Cisco APs support all open authentication
  standards like EAP-TLS and PEAP

10
Six dumbest ways to secure a WLANDisabling DHCP

• Disabling DHCP and forcing the use of Static IP
  addresses is another common myth
• IP schemes are easy to figure out since the IP
  addresses are sent over the air in clear text
• Takes less than a minute to figure out an IP
  scheme and statically enter an IP address

11
Six dumbest ways to secure a WLANAntenna
placement and signal suppression

• Antenna placement and signal suppression does
  nothing to encrypt data
• The hackers antenna is bigger than yours
• Directional high-gain antennas can pick up a weak
  signal from several kilometers away
• Lowering the signal hurts legitimate users a lot
  more than it hurts the hackers
• Wi-Fi paint or wall paper not 100 leak proof and
  very expensive to implement

12
Six dumbest ways to secure a WLANSwitch to
802.11a or Bluetooth wireless LANs

• 802.11a is a transport mechanism similar to
  802.11b or 802.11g
• 802.11a has nothing to do with security
• Pray that the hacker doesnt have 5 GHz 802.11a
  capable equipment
• Bluetooth is more of a wireless USB alternative
• Can be used for wireless networking but not
  designed as an 802.11 a or b/g replacement

13
Six dumbest ways to secure a WLANDishonorable
mention WEP

• WEP barely missed the six dumbest list because it
  can still hold up for a couple of minutes
• Hacker named KoreK releases new WEP analysis
  tool in August 2004
• WEP coupled with 802.1x and EAP key rotation (AKA
  DWEP) is considered broken
• Packet injection techniques lowers WEP cracking
  times to minutes

Article Next generation WEP cracking tools
14
Tools of the wireless LAN hackerOverview

• Software
• Auditor CD
• Kismet
• ASLEAP
• Void11, Aireplay, Airedump, and Aircrack
• Hardware
• Cheap and compatible cardbus adapters
• Omni directional high-gain antennas
• Directional high-gain antennas
• Off the shelf Laptop computer

15
Tools of the wireless LAN hackerAuditor CD

• Bootable Linux CD with every security auditing
  tool under the sun
• Everything needed to penetrate most wireless LAN
  and more
• Mentioned as a favorite of the FBI
• Relatively easy to use

16
Tools of the wireless LAN hackerKismet

• Kismet is a Linux wireless LAN audit tool
• Can see hidden SSIDs
• Can see MAC addresses
• Can see IP schemes
• Can capture raw packet
• GUI version lays everything out

17
Tools of the wireless LAN hackerASLEAP

• ASLEAP cracks Cisco LEAP authentication
• Exploits weak MSCHAPv2 authentication
• Uses pre-computed indexed hash tables
• Checks 45 million passwords a second
• Upgraded to support PPTP VPN cracking

18
Tools of the wireless LAN hackerVoid11,
Aireplay, Airedump, and Aircrack

• New set of tools makes WEP cracking hundreds of
  times faster
• Void11 forces users to re-authenticate
• Aireplay monitors re-auth session for ARP and
  then plays back the ARP request to trigger
  responses from legitimate computers
• Airedump captures all of the raw packets
• Aircrack only needs 200,000 packets instead of
  10,000,000 packets from previous tools

19
Tools of the wireless LAN hackerHardware Cheap
and compatible cardbus adapters

• Prism 2/3 based 802.11b adapters
• PrismGT based 802.11 b/g adapters
• Atheros based 802.11 a/b/g adapters
• All typically around 40 to 70 USD
• All compatible with Linux cracking tools

20
Tools of the wireless LAN hackerOmni directional
high-gain antennas

• Typically 7 to 9 dB gain
• General purpose surveying and war driving
• Can be used to create evil twin access point
• Less than 100 USD

21
Tools of the wireless LAN hackerDirectional
high-gain antennas

• Used to aim and focus in on victim
• Picks up weak signals many kilometers away
• Around 100 USD

22
Tools of the wireless LAN hackerOff the shelf
Laptops

• Any Laptop or PC can be used for hacking
• New Laptops with good cracking speed are as low
  as 400 USD
• Wireless hacking is NOT cost prohibitive!

23
The best ways to secure the WLANOverview

• Good cryptography allows secure communications
  over unsecured medium
• Follow best practice cryptographic principles
• Strong authentication
• Strong encryption
• WPA and WPA2 standards

24
The best ways to secure the WLANStrong
authentication background

• Strong authentication is often overlooked
• Well established secure authentication methods
  all use SSL or TLS tunnels
• TLS is the successor of SSL
• SSL has been used for nearly a decade in
  E-Commerce
• SSL or TLS requires Digital Certificates
• Digital Certificates usually involves some form
  of PKI and Certificate management

25
The best ways to secure the WLANStrong
authentication in Wireless LANs

• Wireless LANs typically use 802.1x and EAP
• Common standard EAP types are EAP-TLS, EAP-TTLS
  and PEAP
• LEAP and EAP-FAST are not standard
• EAP-TLS requires server and client certificates
• EAP-TTLS and PEAP only require client-side
  certificates
• EAP-TTLS created by Funk and Certicom
• PEAP created by Microsoft, Cisco and RSA

Details on EAP types at http//blogs.zdnet.com/O
u/?p67
26
The best ways to secure the WLANStrong
authentication and RADIUS servers

• EAP authentication requires RADIUS support in
  Access Point and one or more RADIUS servers
• Microsoft Windows 2003 Server has fully
  functional RADIUS component called IAS
• Supports EAP-TLS and PEAP
• Windows 2000 only supports EAP-TLS
• Easily integrates in to NT domains or Active
  Directory
• Funk software makes Steelbelted and Odyssey
• Open source FreeRadius supports broad range of
  EAP types

27
The best ways to secure the WLANStrong encryption

• Encryption is well understood
• No known methods of breaking good encryption
• DES encryption has never been crypto-analyzed in
  nearly 30 years and must be brute forced
• 3DES still considered solid but slow
• AES is the official successor to DES and is solid
  at 128, 192, or 256 bits

28
The best ways to secure the WLANStrong
encryption in Wireless LANs

• RC4 encryption is known to be weak
• WEP uses a form of RC4 encryption
• Dynamic WEP makes WEP cracking harder
• TKIP is a rewritten WEP algorithm
• No known methods against TKIP yet but some
  theoretical attacks are on the horizon
• AES encryption mandated in the newest Wireless
  LAN standards is rock solid

29
The best ways to secure the WLANWPA and WPA2
standards

• WPA used a trimmed down version of 802.11i
• WPA2 uses the ratified 802.11i standard
• WPA and WPA2 certified EAP types
• EAP-TLS (first certified EAP type)
• EAP-TTLS
• PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP)
• PEAPv1/EAP-GTC
• EAP-SIM
• WPA requires TKIP capability with AES optional
• WPA2 requires both TKIP and AES capability

Details on EAP types at http//blogs.zdnet.com/O
u/?p67
30
SOHO WLAN implementations

• Minimum encryption should be TKIP
• Run AES encryption if possible
• EAP authentication usually not feasible for Small
  offices and home offices
• SOHO WLANs usually rely on WPA-PSK
• PSK (pre-shared keys) are easier than WEP with 26
  HEX digits
• PSK must be at least 8 alphanumeric random
  characters
• Zyxel offers Access Points with PEAP RADIUS
  built-in

31
Enterprise WLAN implementationsWPA and WPA2
standards

• Minimum encryption should be TKIP
• Run AES encryption if possible
• EAP-TLS authentication recommended
• PEAP or EAP-TTLS authentication at a minimum

32
Enterprise WLAN implementationsWireless Switches

• Wireless LAN switches manage large numbers of
  Access Points
• Much easier to manage
• Wireless switch makers
• Symbol
• Cisco Airespace
• Aruba

33
Enterprise WLAN implementationsAdvanced security
implementations

• Multiple Virtual SSID and VLAN support
• VLAN assignment based on group membership
• Guest Wireless LANs that are isolated
• Mitigating WEP security risks for WEP only
  devices using Firewall or Router ACLs (Access
  Control Lists)
• Can be done with single device such as the Cisco
  851W which is a Firewall, Router, Managed Switch,
  and Access Point all-in-one