Wired or Wireless?
20
Wired or Wireless? Wired or Wireless? James Tucker James Tucker 459650490 459650490 Dr. Durrett Dr. Durrett ISQS 6342 ISQS 6342
description
Wired or Wireless?. James Tucker 459650490 Dr. Durrett ISQS 6342. Summary. Food for Thought Corporate Level University Level Public Access Level. Food For Thought 1. 10 Steps to Secure a Wireless Network Control your broadcast area Lock each AP Ban rogue access points - PowerPoint PPT Presentation
Transcript of Wired or Wireless?
Wired or Wireless?Wired or Wireless?James TuckerJames Tucker459650490459650490Dr. DurrettDr. DurrettISQS 6342ISQS 6342
SummarySummary Food for ThoughtFood for Thought Corporate LevelCorporate Level University LevelUniversity Level Public Access LevelPublic Access Level
Food For ThoughtFood For Thought11
10 Steps to Secure a Wireless Network10 Steps to Secure a Wireless Network– Control your broadcast areaControl your broadcast area– Lock each APLock each AP– Ban rogue access pointsBan rogue access points– Use 128-bit WEPUse 128-bit WEP– Use SSIDS wiselyUse SSIDS wisely– Limit access rightsLimit access rights– Limit the number of user addressesLimit the number of user addresses– Authenticate usersAuthenticate users– Use RADIUSUse RADIUS– Call in the big boysCall in the big boys
Control your broadcast areaControl your broadcast area: wireless : wireless access points allow for control of signal access points allow for control of signal strength, and some direction. Place in strength, and some direction. Place in center of area.center of area.
Lock each APLock each AP: people don’t change the : people don’t change the darn defaults! Change them – and darn defaults! Change them – and MAKE IT GOOD!!! (MAKE IT GOOD!!! (www.pcmag.com/passwordswww.pcmag.com/passwords, click on , click on password dos and don’ts)password dos and don’ts)
Ban rogue access pointsBan rogue access points: if you have : if you have an AP on your network, make sure you an AP on your network, make sure you put it there. (put it there. (www.netstumbler.comwww.netstumbler.com))
Use 128-bit WEPUse 128-bit WEP: adds a layer of : adds a layer of difficulty. HOWEVER easily cracked difficulty. HOWEVER easily cracked with freeware with freeware (http://airsnort.shmoo.com)(http://airsnort.shmoo.com)
Use SSIDS wiselyUse SSIDS wisely: Change the : Change the defaults – AGAIN! Service Set defaults – AGAIN! Service Set Identifiers (SSIDS) show all your AP Identifiers (SSIDS) show all your AP information. Also, buy a product that information. Also, buy a product that allows you to disable broadcasting allows you to disable broadcasting the SSIDS.the SSIDS.
Limit access rightsLimit access rights: Authorized : Authorized MAC cards only!MAC cards only!
Limit # of user addressesLimit # of user addresses: constrict the # of : constrict the # of DHCP addresses to just enough – then if you DHCP addresses to just enough – then if you have some connection trouble you know have some connection trouble you know you have unauthorized access!you have unauthorized access!
Authenticate usersAuthenticate users: firewalls with VPN : firewalls with VPN connectivity, and require log-ons.connectivity, and require log-ons.
Use RADIUS: provides another Use RADIUS: provides another authentication method (time of day & authentication method (time of day & simultaneous) – can be pricey. simultaneous) – can be pricey. (www.freeradius.org)(www.freeradius.org)
Call in the big boysCall in the big boys: AirDefense, server : AirDefense, server appliance that monitors activity and appliance that monitors activity and protects traffic on LANs – really pricey ($10k protects traffic on LANs – really pricey ($10k - $100k depending on # sensors)- $100k depending on # sensors)
Corporate LevelCorporate Level Attacks to Consider:Attacks to Consider:
- WEP AttacksWEP Attacks- WAP AttacksWAP Attacks- Brute ForceBrute Force
Corporate LevelCorporate Level Security DesignSecurity Design
– IT Sub DepartmentIT Sub Department Spec HardwareSpec Hardware Spec SoftwareSpec Software
– Diagram User LevelsDiagram User Levels Define User AccessDefine User Access
– Define LAN Architecture (Wired and Define LAN Architecture (Wired and Wireless)Wireless)
– Define DMZ’sDefine DMZ’s– Define Firewall ProtocolsDefine Firewall Protocols– Define Wireless Sniffing ToolsDefine Wireless Sniffing Tools
Corporate LevelCorporate Level IT Sub DepartmentIT Sub Department: ruthless individuals: ruthless individuals
– Spec Hardware based upon needs (# of Spec Hardware based upon needs (# of AP’s defined by # of users, etc…)AP’s defined by # of users, etc…) Go for 802.11a!!!Go for 802.11a!!!
– Spec Software based upon required Spec Software based upon required securitysecurity Granted – Pocketbook is KingGranted – Pocketbook is King
Diagram User LevelsDiagram User Levels: who needs access : who needs access to what?to what?– Employee status, Employee Area, Employee status, Employee Area,
Employee ExpertiseEmployee Expertise
Corporate LevelCorporate Level Define LAN ArchitectureDefine LAN Architecture: Does the : Does the
entire building need wireless? entire building need wireless? Remember 10 steps. Remember 10 steps. – Hardwire offices, meeting rooms, etc…Hardwire offices, meeting rooms, etc…– Wireless for open spaces, floor level Wireless for open spaces, floor level
access for IT employeesaccess for IT employees Define DMZsDefine DMZs: What is available : What is available
online? What is available to Wireless online? What is available to Wireless protocols? protocols?
Demilitarized ZonesDemilitarized Zones
Corporate LevelCorporate Level Define Firewall ProtocolsDefine Firewall Protocols
– Allow only ports and protocols neededAllow only ports and protocols needed– Kill Telnet, ping, port-scan, etc…Kill Telnet, ping, port-scan, etc…
Define Wireless Sniffing ToolsDefine Wireless Sniffing Tools– Use of sniffers to determine Use of sniffers to determine
unauthorized access is becoming more unauthorized access is becoming more and more popular. Example: Wavelink’s and more popular. Example: Wavelink’s Mobile Manager.Mobile Manager.(www.wavelink.com, www.mcafee.com)(www.wavelink.com, www.mcafee.com)
Mobile Manager by Mobile Manager by WavelinkWavelink
Reduction of DNS attacks through Access Point profiles Reduction of DNS attacks through Access Point profiles (streamlining of all AP profiles)(streamlining of all AP profiles)
University LevelUniversity Level Treat it like Corporate:Treat it like Corporate:
– Much less likely to have money Much less likely to have money requirements of 802.11a, BUT:requirements of 802.11a, BUT: Securing 802.11b is defined by:Securing 802.11b is defined by:
– Broadcast areaBroadcast area– SniffingSniffing– Restricting # UsersRestricting # Users– Restricting Access RightsRestricting Access Rights
University LevelUniversity Level Use of 802.11b requires more Use of 802.11b requires more
physical security:physical security:– Wardriving still possibleWardriving still possible– Attacks through StaffAttacks through Staff– Attacks through dormatoriesAttacks through dormatories
Requires a very accurate listing of Requires a very accurate listing of User MAC addressesUser MAC addresses
Requires accurate accounting for Requires accurate accounting for DHCP address useDHCP address use
University LevelUniversity Level Time of Day lockdown implementationTime of Day lockdown implementation Set-up of DMZ is criticalSet-up of DMZ is critical
– Just as important as securing corporate Just as important as securing corporate data is securing sensitive University datadata is securing sensitive University data Grades, Degree Plans, Financial Information, Grades, Degree Plans, Financial Information,
etc…etc… Building by building better than Building by building better than
broadcast cloudbroadcast cloud
Public Access LevelPublic Access Level Problems:Problems:
– Unlike Corporate or University Level, Unlike Corporate or University Level, listing MAC addresses is more difficult. listing MAC addresses is more difficult.
– Creating the correct DMZ cloudCreating the correct DMZ cloud AnswersAnswers
– Setting up an account service requiring Setting up an account service requiring MAC addresses of usersMAC addresses of users
– Creating architecture of system before Creating architecture of system before implementation!implementation!
ClosingClosing Be Smart and Realize that no network is Be Smart and Realize that no network is
perfect!perfect!– Hire Good People with a diverse background Hire Good People with a diverse background
in Security (More eyes and ears!)in Security (More eyes and ears!) Restrict User AccessRestrict User Access Restrict Number of UsersRestrict Number of Users Use of Sniffing ToolsUse of Sniffing Tools Change the Defaults!Change the Defaults!
ReferenceReference1.1. Security Watch, PC MAGAZINE, February Security Watch, PC MAGAZINE, February
2525thth, 2003, , 2003, www.pcmag.comwww.pcmag.com..2.2. Hacking Exposed, McClure, Scambray, Hacking Exposed, McClure, Scambray,
Kurtz, McGrawHill, Chicago, 2001.Kurtz, McGrawHill, Chicago, 2001.3.3. Secrets & Lies, Schneier, Wiley, New York, Secrets & Lies, Schneier, Wiley, New York,
2000.2000. Cisco AVVID Network Infrastructure Cisco AVVID Network Infrastructure
Enterprise Wireless LAN Design, Adobe Enterprise Wireless LAN Design, Adobe Acrobat Presentation, www.cisco.com, Acrobat Presentation, www.cisco.com, 2003.2003.
Questions?Questions? Queries?Queries? Posers?Posers?
Inquiries?Inquiries? Huh?Huh?
