Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Wireless Security

Document Sample
Wireless Security Powered By Docstoc
					           ITEC4621
    Wireless Security
Dr. Supakorn Kungpisdan

                        MUT, THAILAND


ITEC4621: Network Security              1
Outline

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         2
Roadmap

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         3
Wireless LAN Standards
 IEEE 802.11b (Wi-Fi) Standard.
    Employs Direct Sequence Spread Spectrum (DSSS)
    Operates in the 2.4 GHz band.
    Supported data rates are 1, 2, 5.5, and 11 Mbps.
    Security measures: WEP
 IEEE 802.11a Standard.
    Employs Orthogonal Frequency Division Multiplexing
     (OFDM).
    Operates in the 5.0 GHz band.
    150 feet indoor, 300 ft outdoor
    Supported data rates are 6, 9, 12, 18, 24, 36, 48, and 54
     Mbps.
    6, 12, and 24 are mandatory. All others are optional.
    Security measures: WEP, OFDM
    No backward compatibility with 802.11b clients              4
WLAN Standards (cont’d)

 IEEE 802.11g standard
  Employs OFDM
  Operates in the 2.4 GHz band.
  Ideal 1,000 ft, normally 150 ft indoor, 300 ft outdoor
  Supported data rates are 6, 9, 12, 18, 24, 36, 48, and 54
   Mbps.
  6, 12, and 24 are mandatory. All others are optional.
  Security measure WEP. OFDM, and possibly WPA (wi-fi
   protected access) using AES (in WPA2)
  Has backward compatibility with 802.11b clients

                                                           5
WLAN Standards (cont’d)
 IEEE 802.15 Wireless Personal Area Network (WPAN)
    For short range and low power peripheral connections.
    Employs FHSS (frequency-hopping spread spectrum) with
     TDMA (Time division multiple access) in the 2.4 GHz ISM
     (Industrial, Scientific, and Medicine - frequency bands) band.
    Short links from 30 - 300 feet.
    Data rate up to 720 Kbps
 IEEE 802.16 Wireless Metropolitan Area Network
 (WMAN)
    Intended for large area broadband wireless coverage
       Becoming popular in US and UK.
    Supports TCP/IP, VoIP and ATM services.
    Security is based upon X.509 with RSA.
    Operates in the range of 2GHz - 66 GHz.
                                                                      6
802.11 Basic Components
 Wireless Medium.
    The Radio Frequency spectrum used to transfer frames
     between the wireless station and the AP or between wireless
     stations.
 Wireless Stations.
    Computing devices with wireless network interfaces.
    Typically battery operated laptops or handheld computers.
 Access Points (AP).
    APs form a bridge between wired and wireless medium.
 Distribution System (DS).
    A wired/wireless medium which connect APs to one another.


                                                                   7
  Wireless and Wired Networks: Example
       PKI         Radius   Host    Host
                                                      Internet



Internal Network
                                   Firewall
                                                    DHCP/DNS
Access Point Backbone



               AP1                            AP2




                                                                 8
Roadmap

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         9
Wireless Security Problems
 New Threats.
   Anonymous uncontrolled radio coverage areas. -> rogue APs
   Roaming end point mobility
   Attacks on crypto algorithms with powerful computers
 Known Risks.
   Unauthorised monitoring.
   MAC addesss spoofing
   Brute force attacks on AP password e.g. using ettercap,
    airsnort, WEPcrack, etc.
   Encryption attacks.
   Passively intercept and decode transmitted data.
   Attacker can be up to 20 miles from target
   Misconfigurations

                                                              10
Wireless Security Problems (cont’d)
 War Dialing
    A war dialer would dial multiple numbers looking for an
     insecure modem connected to a computer system
 War Drivers
    A war driver drives around looking for wireless access points
     connected to networks
 War Walkers
    Walking instead of
     driving




                                                                     11
Wireless Security Problems (cont’d)




                                      12
Wireless Security Problems (cont’d)

 War Chalking




                                      13
Wireless Security Problems (cont’d)


      Internet




          Organization Firewall

                                          Hacker

                  LAN

                                  Rogue
                                   AP




                                                   14
Wireless Security Problems (cont’d)

 Access Points normally ship in an unsecured
  configuration to emphasize ease of use and
  installation.
   Wired Equivalent Privacy (WEP)
      APs normally ship with WEP turned off
      40 and 128 bit encryption are subject to known flaws.
   SNMP Community passwords
      Many are set to “public"
      3Com         "comcomcom"




                                                               15
Default SSID Names




                     16
Roadmap

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         17
Authentication

Shared Key Authentication
Open Key Authentication




                             18
Shared Key Authentication




                            19
Open Key Authentication




    Data will be encrypted with WEP key while transmitted
                                                            20
Wired Equivalent Privacy (WEP)
 WEP standard was created to give wireless networks
  safety and security features similar to that of wired
  networks
 3 goals to achieve:
    Prevent eavesdropping (confidentiality)
    Allow authorized access to a wireless network (availability)
    Prevent the tampering of any wireless communication
     (integrity)
 Deploy RC4 symmetric encryption with 2 levels of
  security:
    64 bits 40-bit encryption key and 24-bit initialization vector
    128 bits104-bit encryption key and 24-bit initialization vector

                                                                    21
WEP (cont’d)

                Internet checksum




               RC4 encryption




                                    22
802.1x Authentication




                        23
802.1x Authentication (cont’d)

 Authentication Server
  Provides access granting and rejecting features
  Also have another standard (RADIUS)
 Authenticator
  First piece of device that an 802.1x device will attempt
   connection
 Supplicant
  The device that wants to connect to the 802.1x network
   e.g. PDA, laptop



                                                              24
EAPOL
 Extensive Authentication Protocol Over Local Area
  Network
 A part of EAP because 802.1x standard allows certain
  EAP message types to pass through an authenticator to
  the supplicant
 Only 6 EAP frame types is allowed to pass through an
  access point to a client
    EAPOL-Packet: identify packet as an EAP packet
    EAPOL-Start: begin an EAP conversation
    EAPOL-Logoff: end an EAP conversation
    EAPOL-Key: exchange keying information bet authenticator and
     supplicant
    EAPOL-Encapsulated-ASF-Alert: carry SNMP trap information
     out a non-802.1x authenticated port

                                                                25
EAPOL Diagram




SNAP: Subnetwork Access Protocol




                                   26
RADIUS
 RADIUS (RFC 2138, 2139)
   “Remote Authentication Dial-In User Service”
   an authentication, authorization and accounting protocol
    (AAA) used for remote network access
   To have an inside server act as a gatekeeper to verify
    identities through a username and password
   A RADIUS server can also be configured to enforce user
    policies and restrictions as well as recording accounting
    information such as time connected for billing purposes.
   A high end enterprise RADIUS server example would be
    NavisRadius by Lucent Technologies. It can be used by an
    ISP for verification and time tracking for billing.

                                                                27
RADIUS (cont’d)

 4 types of packets for authentication
  Access-Request: allow the RADIUS sequence to take
   place
  Access-Accept: informs RADIUS client that the
   authentication provided to it was correct
  Access-Reject : informs RADIUS client that the
   authentication provided to it was incorrect
  Access-Challenge: challenge a RADIUS client for its
   authentication credentials



                                                         28
RADIUS Frame Format




                      29
Extensible Authentication Protocol (EAP)

 Designed to work with existing protocol that requires
  authentication without having to write any extra code




                                                          30
EAP Fields (cont’d)
 Code: 4 types of code
    EAP Request: makes initial request
    EAP Response: informs the requestor that their request was
     made
    EAP Success: validates that the authentication took place
    EAP Failure: indicates the failure of EAP connection
 Identifier: distinguishes when multiple clients
  authenticate with EAP at the same time
 Length: indicates the length of EAP packet
 Data: data to provide authentication
    EAP-MD5: data is hashed and attached to Data field
                                                                  31
EAP-MD5
 Require a shared secret to be exchanged out of band
 Packets are encrypted using the shared secret




                                         Send challenge in cleartext

     Send encrypted hashed username&password




                                                                       32
LEAP
 Lightweight Extensible Authentication Protocol
 Cisco proprietary protocol




                                                   33
WEP vs WPA
 WEP
    Wired Equivalent Privacy
    The freeware utility called WEPCrack available from
     http://wepcrack.sourceforge.net/ can be used by crackers to
     break in by examining packets and looking for patterns in the
     encryption.
 WPA (WiFi Protected Access)
    Use TKIP (Temporary Key Integrity Protocol) encryption algo
     (optional AES-CCMP encryption)
    WPA2 includes AES-CCMP encryption
    Both WPA and WPA2 supports RADIUS authentication


                                                                     34
Roadmap

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         35
Physical Security Considerations

   Conceal APs from sight.
   Keep APs away from employees.
   Properly secure outside APs.
   Properly name access points for troubleshooting.
   Enhance AP authentication.
   Ensure RF containment.
     Sector network areas with directional antennas.
     Metallic paint on walls.
     Metallic foil inside walls.
     Metallic window blinds.
     Reduce signal strength to suitable range



                                                        36
Wireless Security Policy
Create wireless security policy and implement it:
 Wireless Accessibility.
     Use Default settings?
     Use Remote Access Dial-In User Service (RADIUS)?
     Employ SSID, MAC Filtering, WEP encryption?
     Use IPSEC?
   Employ IDSs?
   Employ firewalls?
   Lost/stolen wireless stations?
   Employ stronger encryption algorithms?
   Allow/not allow data storage on wireless stations?


                                                         37
Access Point Choice/Placement
 Choosing
  an AP (capabilities vs threat analysis).
  Closed System,
  128 bit WEP,
  VPN
 Secure placement and enhance AP
  authentication.




                                              38
Implement MAC Filtering
 A unique 48-bit hexadecimal number identifying a
  hardware address.
 Allows the administrator to only permit access to
  computers that have wireless functionalities that contain
  certain MAC IDs
 However, MAC IDs over a network can be faked.
 Cracking utilities such as SMAC are widely available




                                                              39
Implement Protocol Filtering
 Implement protocol filters on the routers or
  access devices at the edge of the network.
 Rules can be based upon:
   Port number
   Protocol type
 Restrict Ports and Protocols based upon policy.
  Filter ICMP to prevent DoS
  Filter FTP and Telnet to prevent configuration alteration.
  Filter on music to conserve bandwidth.
 Test the filters before implementing them.


                                                            40
Wireless LAN and Firewalls
 Install a firewall to separate the DMZ from the internal
  and external network.
 Install a personal firewall on all individual hosts.
 APs should be placed outside firewalls or within DMZ
 Filter both inbound and outbound connections.
 Activate and check logging regularly.




                                                             41
Wireless LAN and Firewalls (cont’d)
                             AP



       Internet
                                    DMZ


                  Firewall



              Internal
               LAN                Authentication
                                     Server


                  Other Server                     42
Wireless LAN and IDS
 Install a NIDS on the wireless DMZ
 Install a HIDS on selected servers.
  Log file monitors
  Integrity monitors
  Signature scanners
  Activate and check logging.




                                        43
Wireless LAN and IDS
                                  AP


           Internet
                                                     Wireless
                                                      User



                      Firewall


Internal
 LAN

                                       Network IDS



                       Host IDS
                                                                44
Wireless LAN and VPN
 VPN provides for Point-to-Point encryption and
  authentication.
 The VPN server on the LAN can provide both the
  authentication and the encryption requirements.
    In practice the RADIUS performs the authentication while
    the VPN provides the encryption.
 Multiple key changes over time.




                                                                45
Virtual Private Network
                                  AP

            Internet
                                                       Wireless
                                                        User

                             Firewall



                       LAN
                                                  VPN Server




                       RADIUS Server
  RADIUS: Remote Authentication Dial-in User Service
                                                                  46
Roadmap

 Wireless LAN Standards
 WLAN Security Problems
 WLAN Security Mechanisms
 Wireless Security Countermeasures
 Steps in Securing a Wireless Network




                                         47
Steps in Securing a Wireless Network

1. Use WPA2 encryption if possible.
        WPA encryption is the next best alternative.
2. Change the default SSID name
        Do not change it to a company or person’s name or to any network
         equipments name that you use.
3. Disable the SSID broadcast option
        Disabling this option will make it harder for crackers to connect.
4. Change the default password needed to access a wireless device
        can prevent crackers from accessing and changing your network
         settings.
5. Enable MAC address filtering
        only allow access by devices containing certain MAC IDs.
        not a foolproof solution, but can slow down a cracker


                                                                              48
Steps in Securing a Wireless Network
(cont’d)
6. Set static DHCP
        using a DHCP system that has pre-assigned addresses per MAC ID
         is a helpful way of keeping undesirables from making an easy
         connection to APs
7. Disable File and Print Sharing
        can further limit a crackers ability to steal data or commandeer
         resources.
8. Segment the AP wired portion of your network on to a separate LAN
        allows you to separate this traffic and may lessen the access that a
         cracker gets to your LAN
9. Routing protocols should be filtered to the APs
        This can eliminate network injection attacks.
10. Wireless coverage area should be fit to the desired area
        Directional antennas should be used, if possible, at the perimeter
         directing their broadcasting inward
        Some APs offer attenuation levels to be set via their web-based
         setup utility. (reduce signal strength)
                                                                                49
Additional Guidelines
 An AP is a REMOTE Access Service!
      Do not use the defaults.
      Filter on MAC addresses.
      Search for unauthorised APs using AP auditing tools.
      Conduct regular AP security audits and penetration tests.
 Protect the Wireless Client.
    Provide specified IP ranges for WLAN.
    Force wireless users to install personal firewalls
    Enforce security of services for wireless clients with VPN.




                                                                   50
Wireless Network Tools
 Airsnort
    recovers encryption keys; it operates by passively monitoring
     transmissions, computing the encryption key when enough
     packets have been gathered.
 Netstumbler
    site surveys, detecting rogue access points, and finding and
     mapping WLAN installations.
 Kismit
    capable of sniffing using most wireless cards, automatic
     network IP block detection via UDP, ARP, and DHCP
     packets.
 NetStumbler:
    Wireless network scanning tool.
                                                                    51
Questions?
                               Next week
                         Program Security



  ITEC4621: Network Security                52

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:10/9/2012
language:Unknown
pages:52