ppt - People

advertisement
How to Secure a Home Wi-Fi
S. Roy
Acknowledgement
In preparing the presentation slides and the lab
setup, I received help from
• Professor Simon Ou
• Professor Gurdip Singh
• Professor Eugene Vasserman
• Alex Bardas
2
What is a home Wi-Fi?
• Provides a wireless access point (AP) via which
household machines (e.g. laptops, tablets and smart
phones in an apartment) can connect to the Internet
• The access point is also known as home router.
More about Home Wi-Fi
• The router (also called AP) is
connected with the Internet via
a modem.
AP
• Any wireless-capable computer
or smartphone in the house
communicates with the router.
• Note: typically, the same router also supports
wired connection at home as shown in the figure.
Risks in a Home Wi-Fi
• An insecure home Wi-Fi has all problems of using a
free public Wi-Fi
– A neighboring (e.g. nextdoor) attacker can launch
similar attacks on the computers of a home Wi-Fi.
• And an additional concern: the admin responsibility
– The intruder may use your network as a stepping stone
for doing DoS, SPAMing, downloading music, and so on.
– The home owner has to deal with the law enforcement
agency for any wrong doing rooted at his/her network
– Well before the police comes, the mobile intruder can
flee away while the home owner will stay
Abusing a Home Wi-Fi network
1. The attacker M intrudes your home network
2. M uses it as a stepping stone for bad activities
3. You (the home owner) face FBI
Pentagon Server
Mallory
(M)
Alice
DoS attack
AP
download pirated items
A Home Wi-Fi with a user and an attacker
P2P Server
Internet
Securing a Home Wi-Fi: Task 1
Stop the intruder from joining the network
– The AP employs an access control mechanism to
authenticate the legitimate computers
– Each legitimate computer may share the same key
with the AP while the intruder does NOT have the key
hello
Alice
hello; proof of
the key
authenticated
AP
Mallory
Access
denied
Bob
A Home Wi-Fi with two users; an attacker M is denied access
Securing a Home Wi-Fi: Task 2
Stop the intruder from eavesdropping
– Encrypt the traffic (i.e. communicated messages)
between the AP and each legitimate computer
Malary
Encrypted mesg
Alice
Encrypted mesg
AP
Bob
Mallory should NOT be able to decrypt the airborne traffic.
Outdated Algorithms for Wi-Fi Security
• Wired Equivalent Privacy (WEP) algorithm has
numerous flaws.
– You should NOT use WEP in your home Wi-Fi. An attacker
can easily break into the network.
– Available attack/monitor tools: aircrack-ng, CommView
• The algorithm WPA (Wi-Fi Protected Access) is
stronger than WEP
– But, WPA still has some serious weakness
– So, you should avoid WPA
Current Standard for a Wi-Fi Security:
An overview
• The current standard WPA2 has replaced WPA
• Its Pre-shared Key (PSK) mode (also known as
Personal mode) is designed for home network
• Caution: WPA and WPA2 remain vulnerable if
users rely on weak password or passphrase
– available attack/monitor tools: aircrack-ng, kismet
– a passphrase longer than 13 characters is probably
secure
Wi-Fi Protected Setup(WPS)
• A standard that attempts to allow establishment
of a secure Wi-Fi (WPA) in an easy way
• But WPS has serious security flaws
– We should not use the WPS
• An attacker can recover the WPS PIN in a few
hours
– and thus the network's WPA/WPA2 pre-shared key.
Acknowledgement: wikipedia.org
Configuring a Router (AP) with WPA2
• Walking through the setup procedure
1.
2.
3.
4.
5.
6.
7.
Connect a computer to one of the LAN ports on the back of the router
Open a web browser and type http://router-IP-address (e.g. 192.168.0.1.
It should be available in the router manual) to get the configuration page
of the router. Then do the following.
Change the router’s administrative default password
Choose a SSID name (otherwise, the default one will be used)
Select WPA2-PSK among the available security algorithms
Set a password/passphrase for the WPA2-PSK protocol to use.
Give each user (each computer at home) the same passphrase.
• Check / ensure that WPA2 is ON on the router at the end of the above
steps.
Configuring
Computer
More on Router Configuration
• Enable the built-in NAT/firewall in the router
– the router has two sides i.e. the outside world (the
Internet) and the inside network (home)
– the outside world sees only the router public address
(globally unique IP address)
– multiple computers inside your home get local
addresses (e.g. IP address like 192.168.1.3)
• The DMZ option
– router exposes some specific internal computer
– router forwards incoming traffic to the specific host
– this is an unsecure option; so, avoid DMZ
More on Router Configuration
• The router can be configured with remote access
option
– this option allows to access your router configuration page
from the outside world
– instead of using the router’s LAN IP Address you have to
use the router’s Internet IP Address.
• Remote access can cause security problems
– disable the remote access of the router as soon as it is
installed.
Case Study: A Linksys Router
• E1200 is a Wireless router
– It also has 4 Ethernet ports
– the default IP address is 192.168.1.1.
– the admin username and the default password is
“admin”.
– the default SSID of the E1200 is CiscoXXXXX
– supports security protocols e.g. WPA2, WPA, WEP
– the WPS is Enabled by default; disable it
Acknowledgement: Linksys E1200 manual
A Hands-On Activity: Configure a Router
A few additional security measures:
Tradeoff b/w usability and security
1.
Disable the SSID broadcast
–
–
2.
Assign static IP addresses to all computers at home; turn off DHCP
–
–
–
3.
SSID broadcast attracts the attacker.
But disabling it means each of your computer needs to remember the SSID
If DHCP (dynamic addressing) option is ON, the attacker may get a valid IP
address from the AP.
Turn off DHCP; configure each connected device with a unique static IP.
Use a private IP address range (like 192.168.x.x or 10.0.0.x) to prevent
computers at home from being directly reached from the Internet.
Use access control for any computers offering files and services.
Wireless Intrusion Detection Tools
We should monitor our home Wi-Fi network
whenever possible. The available tools are:
– Wireshark : captures the wireless network’s all
communications; analyzes the traffic to detect
possible intrusion attempts
– AirSnare: monitors for unfriendly MAC addresses
and alerts us; also monitors DHCP requests from
clients.
Case Study: The Att Wireless Router
• Discuss why this is an advanced router
Summary
• We discussed common security threats of an
open Wi-Fi at home
• We presented a few standard countermeasures
to mitigate the risks
• Remainder:
– the next homework is due before the next class (1pm
on February 21)
– the next class will be held in Room 128
20
Download