12_Wireless Security Presentation v6_2003
-
Upload
chitichitichiti -
Category
Documents
-
view
30 -
download
0
description
Transcript of 12_Wireless Security Presentation v6_2003
802.11 Wireless Security
John BertiSenior Manager
Deloitte – Security and Privacy Services
Agenda
•Introduction to Wireless•Wireless Networks•Wireless Security•Top 8 Security Issues with 802.11•Security Controls for Wireless Networks•Summary Best Practices•Final Thoughts
Introduction to Wireless
Cell Phones
PDAs
WLANs
The Wireless World
Cordless Phones
Toys
Appliances
Introduction to Wireless
103 Hz
106 Hz
109 Hz
1012 Hz
1015 Hz
1018 Hz
1021 Hz
Radio
Microwave
Infrared
Visible LightUltraviolet
X-Ray
Gamma Rays
Introduction to Wireless
The Radio Frequency Band
0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz 10GHz
AM Radio (535 – 1605 KHz)
VHF TV (174 – 216 MHz)
FM Radio (88 – 108 MHz)
UHF TV (512 – 806 MHz)
Analog Cellular (824-894 MHz)
Digital Cellular (1850-1900 MHz)
Cordless Phones, Toys (900 MHz)
802.11b,g Bluetooth, Phones (2.4 GHz)
802.11a, g (5 GHz)
Unlicensed Radio Frequencies
Licensed Radio Frequencies
Introduction to Wireless
Wireless Networks
What is a Wireless Network
Wireless AccessPoint
Demilitarized Zone(Firewall, Web Servers)
Wireless NetworkCard
Wireless Laptop
Wireless Phone
Wireless PDA
InternalInternalNetworkNetworkInternal Network
Wireless Networks
Wireless Network Standards
Bluetooth• Intended as a replacement for cables over shorter
distances, with an effective range of up to 10 meters. • 1 Mbps Date Rate• 2.4 GHz Frequency Band
802.11b• Extension to 802.11 Wireless LAN standard• 11 Mbps Data Rate• 2.4 GHz Frequency Band• Digital Sequence Spread Spectrum (DSSS)
Wireless Networks
Wireless Network Standards
802.11a• Extension to 802.11 Wireless LAN standard• 54 Mbps Data Rate• 5 GHz Frequency Band• Orthogonal Frequency Division Multiplexing (OFDM)
802.11g • Replacement for 802.11b with higher rate • 54 Mbs Data Rate• 2.4 GHz and 5 GHz Frequency Bands
Wireless Networks
Wireless Networks
802.11 Standards Comparison
Wireless Standard
802.11b 802.11a 802.11g
Popularity Widely Adopted Not Very Popular Widely Adopted
Speed 11 Mbps 54 Mbps 54 Mbps
Cost Inexpensive More Expensive Inexpensive
Frequency 2.4 GHz 5 GHz 2.4 GHz
Range 300 – 1750 ft 60 – 100 ft 100 – 150 ft
Public Access
Hotspots available at most airports,
colleges and some restaurants and
coffee shops
NoneHotspots readily
available
Compatibility 802.11b 802.11a802.11b802.11g
Comparison Data From http://www.linksys.com/edu/wirelessstandards.asp
Wireless Networks
Other task groups:
•802.11e – Quality of Service•802.11n – 100mb over Wireless•802.11s – Mesh Networks (Self Healing)•802.11r – Fast Hand-off – Re-association from AP to AP
•802.11p – Wi-Fi in moving vehicles
Wireless Security
Wireless Security
•There are numerous risks associated with wireless technology that could potentially be detrimental to an organization and its wireless infrastructure.
•These risks can be categorized into 6 classes:–Eavesdropping;–Transitive Trust;– Impersonation or masquerading;–Denial of Service;– Infrastructure;–Device vulnerability;
802.1x – Access Control– Complete and published standard for controlled port access– Dynamically generated, session based WEP keys– Both session & packet authentication– User oriented authentication support– Extensible Authentication Protocol (EAP) – an extension to
RADIUS servers enabling wireless client authentication to the wired LAN.
– Several vendors, like Cisco and 3Com, have already begun measures to ensure their implementations comply with the latest draft of 802.1x standards
802.11i – Security – 100% focus on security– Standard completed– Provides extensions to current WEP requirements
Authentication algorithm yet to be determined
Advanced Encryption Standard (AES) - block cipher encryption algorithm
Wireless Security
Wireless Security
• Wired Equivalent Privacy (WEP) is the standard for WLAN encryption– It is not widely used (50% of networks don’t use it)– Easily broken– It uses shared keys
For more details on WEP Cracking see the paper by Scott Fluhrer, Itsik Mantin, and Adi Shamir. http://www.drizzle.com/%7Eaboba/IEEE/rc4_ksaproc.pdf
• Newer WLAN equipment will support Wi-Fi Protected Access (WPA) standards – Subset of WLAN security standards based on 802.11i working group– WPA – TKIP – Changing of keys– WPA2 - Advanced Encryption Standard (AES)
Problems with WEP
1. WEP is hardly used!
•In this scan done recently on my way to work only 15 of the 45 access points detected used WEP.
•That’s only 33%.
•Note: Some of these networks may actually use other methods of encrypting data such as VPN
Problems with WEP
2. WEP Can Be Cracked
• The IV is sent as plaintext with the encrypted packet. It can be sniffed.
• XOR is a simple process that can be easily used to deduce any unknown value if the other two values are known
• The first byte of transmitted data is always the same, giving an attacker knowledge of both the plaintext and ciphertext.
(The SNAP header, which equals “AA” in hex or “170” decimal.)
• A certain format of IVs are known to be weak. By targeting attacks on packets with weak IVs the amount of data and analysis needed to derive the shared key is greatly reduced.
• By combining the above observations about the implementation of WEP, hackers have developed tools that can obtain the shared key after collecting approximately 500,000 to 2,000,000 packets with < 1 minute cracking time.
Problems with WEP
3. WEP uses a Shared Key
• Using shared keys is impractical on large networks
• Key management is very difficult (Difficult to ensure keys can be periodically changed)
• Knowledge of the shared key is disseminated
• Inevitably someone will incorrectly configure a wireless device
IndexNetwork
Type ESSIDBSSID (MAC
address) Channel Cloaked WEP Data
RateMax Signal
Strength
1 Access Point <no ssid> 00:01:xx:xx:xx:xx 11 No Yes 11 62
2 Access Point <no ssid> 00:01:xx:xx:xx:xx 0 No No 0 69
3 probe wlan 00:01:xx:xx:xx:xx 0 No No 11 71
4 probe wlan 00:01:xx:xx:xx:xx 0 No No 11 73
5 unknown wlan 00:01:xx:xx:xx:xx 0 No No 11 60
6 unknown !OUxxxxxx 00:40:xx:xx:xx:xx 6 No No 11 71
WPA Security
WiFi Protected Access (WPA) – originally a temporary answer to flaws in WEP. At the heart of WPA is TKIP (Temporary Key Integrity Protocol) which uses re-keying to get away from the problems inherent in static WEP.
WPA Security
Adds authentication through one of two methods1) Pre-shared Key (PSK), which is similar to WEP, fine for small networks2) 802.1x authentication, uses a backend authentication server such as RADIUS
Top 8 Security Issues with 802.11
Wireless Lan VulnerabilitiesSubtopics
• Detection• Eavesdropping• Modification• Injection• Hijacking• WLAN Architecture• Radio Frequency
Management Corporate Intranet
Internet
Detection & Eavesdropping
• Detection– WLAN will generate
and broadcast detectable radio waves for a great distance
• Eavesdropping– WLAN signals
extend beyond physical security boundaries
Eavesdropping
• Service Set Identifier (SSID) may be broadcasted.• SSID string may identify your organization.
Eavesdropping
• Standard Wired Equivalent Privacy (WEP) encryption is often not used.
• When used, WEP is flawed and vulnerable.• No user authentication in WEP.
Clear Text Passwords
IP Addresses
Company Data
Modification, Injection & Hijacking
• Modification– Standard Wired Equivalent Privacy (WEP)
encryption has no effective integrity protection.• Injection
– Static WEP keys can be determined by analysis.– Adversaries can attach to the network without
authorization.• Hijacking
– Adversaries can hijack authenticated sessions protected only by WEP.
• Security Architecture
Firewall
Internal Network
Internet
DMZ
WLAN Architecture
Rogue AP
Radio Frequency Management
• Poor RF management will lead to unnecessary transmission of your RF signal into unwanted areas.
• Also consider other devices which may cause interference.
Building A
Parking Lot
Wireless LAN Security ControlsSubtopics
1. SSID Broadcasting2. MAC Address Filtering3. Security Architecture4. Radio Frequency Management5. Encryption6. Authentication7. New Wireless LAN Security Protocols
SSID Broadcasting
•Disable the broadcasting of the SSID.–Not possible on all Access Points–Easily bypassed–Only useful on low-value networks–SSID should also not be easily correlated to your organization name
MAC Address Filtering
•Some Access Points allow the administrator to specify which link layer (MAC) addresses can attach.–Easily bypassed–Does not scale–Only useful for low-value networks
Security Architecture
Firewall
Internal Network
Internet DMZ (VPN Server)
DMZ (VPN Server) Firewall
Radio Frequency Management
Building A
Parking Lot
•Use a scanner to determine your RF footprint•Monitor interference sources
Wireless Encryption
•Static WEP keys are insufficient for many networks
•New secure protocols exist for WLAN protection
•Layered VPN is a common solution for WLAN networks
Subtopics
Wireless LAN Security Mechanisms:• Access Control• Authentication• Encryption• Integrity
802.11 Wireless LAN Security Protocols:• 802.1X / Dynamic WEP• Wi-Fi Protected Access (WPA)• Wi-Fi Protected Access 2 (WPA2)
Authentication
•Wireless LAN needs an authenticated key exchange mechanism
•Most secure WLAN implementations use Extensible Authentication Protocol (EAP)
•Many EAP methods are available–One factor include EAP-MD5, LEAP, PEAP-MSCHAP, TTLS-MSCHAP, EAP-SIM
–Two factor methods include EAP-TLS, TTLS with OTP, and PEAP-GTC
•Need mutual authentication
Encryption
•Static WEP•Dynamic WEP•Temporal Key Integrity Protocol (TKIP)–Uses RC4 Stream Cipher with 128 bit per-packet keys
•Counter-Mode-CBC-MAC Protocol (CCMP)–Uses Advanced Encryption Standard (AES) with 128 bit keys
Integrity Protection
•WEP has no cryptographically strong integrity protection
•TKIP uses a new Message Integrity Code called “Michael”
•CCMP uses AES in CBC-MAC mode
802.11 Security Solutions
802.1x Dynamic WEP
Wi-Fi Protected Access
Wi-Fi Protected Access 2
Access Control 802.1X 802.1X or Pre-Shared Key
802.1X or Pre-Shared Key
Authentication EAP methods EAP methods or Pre-Shared Key
EAP methods or Pre-Shared Key
Encryption WEP TKIP (RC4) CCMP (AES Counter Mode)
Integrity None Michael MIC CCMP (AES CBC-MAC)
Tools and Techniques
Hacker Tools and Techniques
Discovery
Association Polling– Set SSID to “Any” on Client– Card automatically associates with the strongest AP– Default setting for most wireless clients
* Reason that Fake APs are a threat to unsuspecting clients
Scan Mode Polling– Send a Scan Request to the card, receive a Scan response back with AP info– Card keeps track of received beacon packets and probe requests– Will detect both APs as well as adhoc networks– Will only detects Access Points that are configured to Beacon the SSID– Technique used by Netstumbler
Hacker Tools and Techniques
Discovery
Monitor Mode Protocol Analysis– Sets card into monitor mode and analyzes beacons and probes– Will detect closed APs & wireless nodes– Allows access to information such as SSID, Authentication Mechanisms,
Encryption Types, Speeds, etc.– Used by tools like Kismet
Hacker Tools and Techniques
Discovery Tools
Netstumbler• Latest version of NetStumbler requires Windows 2000, Windows XP, or
better.• The Proxim models 8410-WD and 8420-WD are known to work. The
8410-WD has also been sold as the Dell TrueMobile 1150, Compaq WL110, Avaya Wireless 802.11b PC Card, and others.
• Most cards based on the Intersil Prism/Prism2 chip set also work.• Most 802.11b, 802.11a and 802.11g wireless LAN adapters should
work on Windows XP. Some may work on Windows 2000 too. Many of them report inaccurate Signal strength, and if using the "NDIS 5.1" card access method then Noise level will not be reported.
Hacker Tools and Techniques
Discovery Tools
Kismet• Runs on Linux• Cards must be capable of running in RF-Monitor Mode• Can also be setup with drones to use it as a wireless intrusion
detection solution.
Summary Best Practices
Summary Best Practices
• Understand and respect the fact that WLANs are difficult to manage• Implement WLAN policies and management processes• Treat your WLAN like the Internet and run a VPN connection over it• Change the default vendor-set SSID for access points and for WLAN
terminals• Use Port access-control to protect WLANs from unauthorized access• Use at least WEP encryption (128-bit ), and some other access control
mechanism (RADIUS)• Ensure that access points are not broadcasting their SSIDs• Scan for, and make it known to employees that they are not permitted
to install rogue access points• Utilize WLAN network cards that support password-protection of
attribute changes• Deploy real-time, content-level security measures (such as antivirus
firewalls) in conjunction with each WLAN access point
Deployment Considerations
• Site Survey – Think vertical and horizontal!
• Layer Security– Secure Access Point– Use Secure Protocols (802.1x, IPSEC, SSL, etc)– Access Controls
• Logging, Monitoring, and Alerting Mechanisms– How do you know you are being attacked?
• Education and Awareness