Document Sample
Wireless_Security Powered By Docstoc
					                Wireless Security
                Issues @ Home &
Ernest Staats
Director of Technology and Network Services (TNS)
MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA,
Security+, I-Net+, Network+, Server+, A+
Resources available @
Information Blowin' in the Wind

 Wireless open by default
 Wireless networks “broadcast” data into
  the air
 Anyone can receive the broadcast
 Certain steps must be taken to protect
  “users” of wireless networks
Wireless Basics - 802.11
 2.4 GHz (no license) band
 Only 3 non-overlapping channels (in
 CSMA-CA (50% overhead)
 Half Duplex (talk then listen)
Home Wireless Issues
   Not enough bandwidth         (when downloading or
   Updates chew-up bandwidth
   Co-channel interference (Phones,
   Old Firmware (check for updates every quarter)
   No Security or worse, they use WEP
   SSID broadcast on
   Raises your risk factor that someone
    could obtain personal information or
What Could Happen?
    Slow down your Internet performance.
     View files on your computers and spread
     dangerous software.
     Monitor the Web sites you visit, read
     your e-mail and instant messages as they
     travel across the network, and copy your
     usernames and passwords.
     Send spam or perform illegal activities
     with your Internet connection.
     Changing Default Settings:
 Change the Default logon password and make it long!
 All defaults are known and published on the Net
     updated Jan 2007
   AP Management Interface
      HTTP, SNMP, Telnet
   HTTP Login
      Linksys: UID=blank PW=admin
      DLink: UID=admin PW=blank
      Generic: UID=admin PW=admin
   SNMP (disable SNMP for home use)
      All: PW=public
   Change default no Open systems to WPA2 systems for home
    use a long passphrase
Cell Sizing:
 How far is your WIFI signal going? (that is called your cell
    I can pickup wireless when I go visiting family in ID or
      CO by just turning on my laptop
 Can’t cover whole house?
    Repeater
    Better antenna
    MIMO
    802.11N (if you like Vegas)
    Power Setting
 The Cell size is usually adjusted by the power setting

 Go outside your house and see how far your wireless
   single is reaching you will be surprised.
SSID Naming:
 Identifies network
 Helps others identify whether or not you have left default
  settings on
 Broadcast on by default (turn it off)
       Once again with the default settings your wireless device
        broadcasts its name saying “my name is … connect to me
       Turning off SSID cloaking is called Cloaking
 Avoid naming your SSID a private or personal code (don’t
   make it your password or your name)
 MAC Filtering:
 “MAC Filtering” is where you tell your wireless
  device what other devices can connect to it.
 A MAC address is the hardware number
  that is network card specific (literally
  burned into the network card when it is
 Can be spoofed but is still a good option for
         Obtaining Your MAC Address
      After clicking on the Start Button, click on Run.

      Once a small black window appears, type in ipconfig /all (with a space
       between the g and the /).
      Locate the number to the right of Physical Address. This is your MAC
   Macintosh (OS X):
        If your computer is running OS X, it is best to have it upgraded to at least 10.1
        From the dock, select "System Preferences".
        Select the "Network" Pane
           With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres
   Linux
           On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of
            the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and
            look up the relevant info.
            For example:
                # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr:
                  Bcast: Mask: UP BROADCAST RUNNING MULTICAST
                  MTU:1500 Metric:1 RX packets:15647904 errors:0 dropped:0 overruns:0 TX packets:69559
                  errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300
                The MAC address is the HWaddr listed on the first line. In the case of this machine, it is
 WEP – First Wireless Security
   Cracked -- Any middle-schooler can crack your WEP
    key in short order
   Cracked… but
   Key changes

 WPA2
    Cracked… but
    Harder to crack than WPA
 802.1x
    Uses Server to Authorize User
    Can be very secure
 802.11i
    AES encryption – “Uncrackable”
 Wi-Fi Protected Access (WPA)
 WPA: WPA stands for Wi-Fi Protected Access.
  WPA is much better than WEP; we recommend
  that you put at least WPA on your wireless. It
  has been cracked, but it takes much longer and
  is almost not worth the effort.
 For “workgroups”, laptop carts, home users,
 Keep “secret” long and obscure (set a long
  passphrase of at least 20 random characters. Better yet, use
  the full 63 characters by typing a sentence you can remember—
  just don't make it something that's easily guessed, like a line
  from a movie.)
 Additional weakness in social engineering the
 Wi-Fi Protected Access (WPA2)
 WPA2: is very effective for keeping most
    “normal” people off your wireless.
   Changes encryption from RC4 to AES
   coWPAtty v4 can attack and crack it
   Some hardware may not support it
   Firmware upgrade may be necessary
   Use it if available
 Turn It Off:
 The easiest wireless security option.
  When you don’t need it, TURN IT OFF.
      On vacation
      After a certain hour at night
 Turn OFF access point / wireless router
  and your laptop’s wireless card                  (saves your
  battery life some also)
 Turn off DHCP on the router or access point, set a
  fixed IP address range, then set each connected device to
  match. Use a private IP range (like 10.0.0.x) to prevent
  computers from being directly reached from the Internet. Assign
  Static IP Addresses to Devices Or Limit the number of DHCP
  address your router will give out
    Home Wireless Summary
 Change default settings -- SSID and passwords
 Use WPA or (better WPA2)
 Use a MAC filter
 Turn off SSID broadcasting
 Know how far your wireless signal is reaching
 Turn off wireless when not being used for extended time
  periods & Turn off DHCP or limit DHCP
 Disable remote administration
 Update Firmware on AP and wireless cards
 Secure your Home machines
       Current AV
       Firewall (if the wireless router has a firewall option turn it on)
       Spyware protection
       Auto update Windows
       Common Sense (Check the “Secure Your Laptop Section”)
Hot Spot or Public Access
   Everything you do can be observed by other
    people; including your email, logon and
       Etherwatch (driftnet, etherpeg)
            Capture and display images
       Ethereal, Commview, AirMagnet…
            Capture packets and display email, web pages, etc.
   Data is unencrypted
       Unless an application does it
   Your system can be probed to see if
    someone can get into your laptop
 Common Laptop Issues
 Most laptop users leave wireless “on” all
  the time
 Peer attack may be possible
      Firewall might block
 Access to shared folders or
  administrative share “C$”
      \\Name or IP address\c$
 Set WiFi client to “infrastructure”
  Secure Your Laptop
 Turn your firewall on: Start > Settings > Network Connections >
   Wireless Network Connection > Change Advanced Settings >
   Advanced Tab > Windows Firewall Settings > Select “On” > OK

       BETTER YET use Another Firewall (i.e. Kerio, Jetico, or Zone

 Turn ad-hoc mode off: Start > Settings > Network Connections >
   Wireless Network Connection > Change Advanced Settings >
   Wireless Networks Tab > Select Network > Properties > Uncheck
   “This is a computer-to-computer (ad-hoc) network” > OK

 Disable file sharing: Start > Settings > Network Connections >
  Wireless Network Connection > Change Advanced Settings >
  Uncheck “File and Printer Sharing” > OK
 Change Administrator password : Click Start > Control Panel >
  User Accounts. Ensure the Guest account is disabled. Click your
  Administrator User Account, and reset the password
Infrastructure Networks Only
 To allow only connections to approved access points:
      In Control Panel, double-click Network Connections.
       In the Network Connections window, right-click Wireless
       Network Connection, and then click Properties.
       In the Wireless Network Connection Properties dialog
       box, on the Wireless Networks tab, make sure that the
       Use Windows to configure my wireless network settings
       check box is selected.
       Under Preferred networks, make sure that the name of
       the network that you want to connect to is highlighted,
       and then click Advanced.
       In the Advanced dialog box, click Access point
       (infrastructure) network only, and then click Close. Click
VPN Solutions

 AnchorFree's Hotspot Shield, a new free
  software download. Install it on a Windows
  2000 or XP system
       Paid VPN Solutions
 WiTopia's personalVPN,
 HotspotVPN (SSL)
 JiWire's SpotLock (IPSec) software.
 All charge for the VPN connections they
  provide, and require installation of a utility on
  the computer.
Security Tips for Public Hotspots
 Use a personal firewall
 Use anti-virus software (update daily or hourly)
 Update your operating system and other applications
    (i.e. office. adobe reader) regularly.
   Turn off file sharing.
   Use Web-based email that employs secure http (https)
    (beware of some SSL issues though)
   Use a virtual private network (VPN).
   Password-protect your computer and important files
    (make sure your administrator account has a good long
   Encrypt files before transferring or emailing them.
   Make sure you're connected to a legitimate access point.
   Be aware of people around you.
   Properly log out of web sites by clicking log out instead
    of just closing your browser, or typing in a new Internet
 TIPS for WIFI at Work
 TO keep a work WIFI system so it does not drop users as
  they move around all vendors have some common
 Name all your AP's with the same name so if the single
  gets blocked by an individual standing in front of the AP
  or in front of another users laptop and they then get a
  stronger single from another work AP they do not have to
  re authenticate to the work wireless network.
 Make sure all your AP's are on the same subnet if your
  are doing AD authentication.
 Make sure the network is the only one listed on the
  preferred networks under the wireless tab of the "wireless
  network connection properties" on the network card
  adapter settings in control panel.
TIPS for WIFI at Work (cont.)
 Also on the wireless tab of the "wireless
  network connection properties“, click on the
  advanced tab and:
      Make sure it is set on the (Networks to Access)
       section to only access the Access Point also called
       (infrastructure) networks only
      Then make sure the Automatically connect to non-
       preferred networks is unchecked
 These steps will greatly help you only once
  these steps are done, and if you still have
  issues then turning off Windows Zero Config for
  WIFI might help
 Use 802.1x or (better) 802.11i in offices that
  need secure wireless.

Shared By: