Wireless Security

advertisement
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Wireless Security
Chapter 12
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Objectives
• Describe the different wireless systems in use today.
• Detail WAP and its security implications.
• Identify 802.11’s security issues and possible
solutions.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Key Terms
•
•
•
•
•
•
•
•
2.4 GHz band
5 GHz band
Beacon frames
Bluejacking
Bluesnarfing
Bluebugging
Confidentiality
Direct-sequence spread
spectrum (DSSS)
• IEEE 802.1X
• IEEE 802.11
• Initialization vector (IV)
© 2010
• Orthogonal frequency division
multiplexing (OFDM)
• RC4 stream cipher
• Service set identifier (SSID)
• WAP gap
• Wired Equivalent Privacy
(WEP)
• Wireless Application Protocol
(WAP)
• Wireless Transport Layer
Security (WTLS)
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Introduction to Wireless
Networking
• Wireless networking is the transmission of packetized
data by means of a physical topology that does not use
direct physical links.
• IEEE 802.11 is a family of protocols that have been
standardized by the IEEE for wireless local area
networks (LANs).
• Wireless Application Protocol (WAP) was one of the
pioneers of mobile data applications.
• Bluetooth is a short-range wireless protocol typically
used on small devices such as mobile phones.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Summary Table of the 802.11
Family
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Wireless Transmission Extending Beyond
the Facility’s Walls
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Mobile Phones
• Traditional wireless devices such as cellular phones and
pagers are being replaced by wireless e-mail devices
and PDAs.
• Wireless Application Protocol (WAP) attempted to
satisfy the needs for more data on mobile devices.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
WAP
• Wireless Application Protocol (WAP) is a lightweight
protocol designed for mobile devices.
• Wireless Transport Layer Security (WTLS) is a
lightweight security protocol designed for WAP.
• WTLS uses a modified version of the Transport Layer
Security (TLS) protocol, formerly known as Secure
Sockets Layer (SSL) to ensure confidentiality.
• WTLS implements integrity through the use of message
authentication codes (MACs).
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
WAP Vulnerabilities
• The TLS protocol that WTLS is based on is designed
around Internet-based computers.
• Mobile phone clients with low memory or CPU
capabilities cannot support encryption, and choosing
null or weak encryption greatly reduces confidentiality.
• WAP is a point-to-multipoint protocol, but it can face
disruptions or attacks because it aggregates at wellknown points: the cellular antenna towers.
• WAP gap involves confidentiality of information where
the two different networks meet, the WAP gateway.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
The WAP Gap Shows an Unencrypted Space
Between Two Enciphered Connections
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
3G Mobile Networks
• Mobile wireless networks have been or are being
upgraded to 3G, greatly enhancing speed and lowering
latency.
• Increased power and memory of handheld devices also
reduces the need for lighter-weight encryption
protocols.
• The cryptographic standard proposed for 3G is known
as KASUMI.
• KASUMI is a modified version of the MISTY1 algorithm
uses 64-bit blocks and 128-bit keys.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Bluetooth
• Bluetooth is a short-range (approx. 32 feet), low-power
wireless protocol transmitting in the 2.4 GHz band.
• Bluetooth transmits data in Personal Area Networks
(PANs) through mobile phones, laptops, printers, and
audio devices.
• Version 1.2 allows speeds up to 721 Kbps and improves
resistance to interference over version 1.1.
• Bluetooth 2.0 introduced enhanced data rate (EDR),
which allows the transmission of up to 3.0 Mbps.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Bluetooth Headsets
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Bluetooth Vulnerabilities
• Bluejacking – Term used for the sending of unauthorized
messages to another Bluetooth device.
• Bluesnarfing – Execution is similar to bluejacking, however
with bluesnarfing the attacker copies off the victim’s
information, which can include e-mails, contact lists,
calendar, etc.
• Bluebugging – A far more serious attack than either
bluejacking or bluesnarfing. In bluebugging, the attacker
uses Bluetooth to establish a serial connection to the device.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Wireless File Sharing
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
802.11
• Group of IEEE standards also called Wi-Fi
• The table below shows an overview of each
protocol
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
802.11 Modulation
• Direct-sequence spread spectrum (DSSS) is a
modulation type that spreads the traffic sent
over the entire bandwidth.
• Orthogonal frequency division multiplexing
(OFDM) multiplexes, or separates, the data to be
transmitted into smaller chunks and then
transmits the chunks on several subchannels.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
802.11 Individual Standards
• 802.11a is the wireless networking standard that supports
traffic on the 5 GHz band, allowing speeds up to 54 Mbps.
• 802.11b protocol provides for multiple-rate Ethernet over 2.4
GHz spread-spectrum wireless. It provides transfer rates of 1
Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps and uses DSSS.
• Features of 802.11b and 802.11a were joined to create
802.11g, 802.11g allows the faster speeds of the 5 GHz
specification on the 2.4 GHz band.
• 802.11n is on the horizon, with many manufacturers shipping
devices based upon the draft specification. 802.11n offers
speeds up to 248 Mbps.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
802.11 Protocol
• Authentication is handled in its most basic form by the 802.11 AP,
forcing the clients to perform a handshake when attempting to
“associate” to the AP.
• Service set identifier (SSID). The SSID setting should limit access
only to the authorized users of the wireless network.
• Beacon Frame is an 802.11 management frame for the network and
contains several different fields, such as the timestamp and beacon
interval, but most importantly the SSID.
• Wired Equivalent Privacy (WEP) uses the RC4 stream cipher to
encrypt the data as it is transmitted through the air.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
A Common Wireless Router
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Attacking 802.11
• Wireless is a popular target for several reasons:
–
–
–
–
–
© 2010
Access gained from wireless
Lack of default security
Wide proliferation of devices
Anonymity
Low cost
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Attacking 802.11
• War-driving is driving around with a wireless locater program
recording the number of networks found and their locations.
• NetStumbler is a reception-based program that listens to the
beacon frames output by other wireless devices.
• The network sniffer when combined with a wireless network card it
can support, is a powerful attack tool.
• Wired Equivalent Privacy (WEP) an encryption protocol that 802.11
uses to attempt to ensure confidentiality of wireless
communications.
• Site survey an important step in securing a wireless network to
avoid sending critical data beyond company walls.
• A rogue access point is an unauthorized wireless access point
within an organization.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Attacking 802.11 (continued)
• Service set identifier (SSID) - unique 32-character identifier is
attached to the header of the packet
• The purpose of beacon frames is to announce the wireless
network’s presence and capabilities so that WLAN cards can
attempt to associate to it.
• MAC address restriction provides limited authentication capability.
• WEP encrypts the data traveling across the network with an RC4
stream cipher, attempting to ensure confidentiality.
• WEP should not be trusted alone to provide
confidentiality.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
NetStumbler on a Windows PC
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Windows Displaying Access Points
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
New Security Protocols
• Wi-Fi Protected Access (WPA and WPA2 uses 802.1X to
provide authentication and uses Advanced Encryption
Standard (AES) as the encryption protocol.
• Temporal Key Integrity Protocol (TKIP) overcomes the
WEP key weakness, as a key is used on only one packet.
• 802.1X protocol supports a wide variety of
authentication methods and also fits well into existing
authentication systems such as RADIUS and LDAP.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Implementing 802.X
• Three common methods are used to implement 802.1X: EAP-TLS,
EAPTTLS, and EAP-MD5.
• EAP-TLS relies on TLS, an attempt to standardize the SSL structure
to pass credentials.
• EAP–Tunneled TLS Protocol (EAPTTLS) – based on EAP-TLS, but
allows the use of legacy authentication protocols such as Password
Authentication Protocol (PAP), Challenge-Handshake
Authentication Protocol (CHAP), MS-CHAP, or MS-CHAP-V2.
• EAP-MD5 - does improve the authentication of the client to the AP,
but does little else to improve the security of your AP.
• The use of encryption should always be employed, typically with
WPA or WPA2. Turing off SSID broadcasting can help avoid some
scanning. Additionally, regular site surveys will help avoid rogue
access points.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Chapter Summary
• Describe the different wireless systems in use today.
• Detail WAP and its security implications.
• Identify 802.11’s security issues and possible
solutions.
© 2010
Download