Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

- Enterprise Risk Management

advertisement 
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Control Briefings
Wireless LAN: Security and Control
Enterprise Risk Management - Proprietary
1
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
What Is NOT Covered
Wired Equiv. Privacy (WEP) vulnerabilities
WEP Key cracking techniques
Radio signal amplification
Suggested changes to the IEEE 802.11b specification
Wireless network discovery tools
Enterprise Risk Management - Proprietary
2
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
What Will Be Covered
Wireless network standards
Wireless network general security issues
Practical attacks
The focus of the attack(s)
–
The network layers
–
The bottom 2 layers
–
Custom (forged) 802.11b management frames
Enterprise Risk Management - Proprietary
3
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
What Will Be Covered
Attack Scenarios
–
Denial of service
–
Masked ESSID detection
–
802.11b layer MITM attack
–
Inadequate VPN implementations
Mitigation Strategies
Wireless network best practices
Enterprise Risk Management - Proprietary
4
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Standards
IEEE 802.11
IEEE 802.11b
IEEE 802.11a
IEEE 802.11g
IEEE 802.11i
Enterprise Risk Management - Proprietary
5
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
802.11
Published in June 1997
2.4GHz operating frequency
1 to 2 Mbps throughput
Can choose between frequency hopping or direct
sequence spread modulation
Enterprise Risk Management - Proprietary
6
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
802.11b
Published in late 1999 as supplement to 802.11
Still operates in 2.4GHz band
Data rates can be as high as 11 Mbps
Only direct sequence modulation is specified
Most widely deployed today
Enterprise Risk Management - Proprietary
7
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
802.11a
Also published in late 1999 as a supplement to 802.11
Operates in 5GHz band (less RF interference than 2.4GHz
range)
Users Orthogonal Frequency Division Multiplexing (OFDM)
Supports data rates up to 54 Mbps
Not directly compatible with 802.11b or 802.11g
Enterprise Risk Management - Proprietary
8
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
802.11g
802.11g is an extension to 802.11b
Operates in 2.4GHz band
Users Orthogonal Frequency Division Multiplexing (OFDM)
Supports data rates up to 54 Mbps
Backward compatible with 802.11b.
Enterprise Risk Management - Proprietary
9
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
802.11i
Currently under development
It describes the encrypted transmission of data between
systems of 802.11a and 802.11b WLANs
Extensions to MAC layer, longer keys, and key
management systems
Temporal Key Integrity Protocol (TKIP) and AES
encryption
Enterprise Risk Management - Proprietary
10
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Security Issues
Sniffing and War Driving
Rogue Networks
Policy Management
MAC Address
SSID
WEP
Enterprise Risk Management - Proprietary
11
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
War Driving
Default installation allow any wireless NIC to access the
network
Drive around (or walk) and gain access to wireless
networks
Generally, provides direct access behind the firewall
Heard reports of an 8 mile range using a 24dB gain
parabolic dish antenna.
Enterprise Risk Management - Proprietary
12
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Rogue Networks
Network users often set up rogue wireless LANs to simplify
their lives
Rarely implement security measures
Network is vulnerable to War Driving and sniffing and you
may not even know it
Enterprise Risk Management - Proprietary
13
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Policy Management
Access is binary
Full network access or no network access
Need means of identifying and enforcing access policies
Enterprise Risk Management - Proprietary
14
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
MAC Address
Can control access by allowing only defined MAC
addresses to connect to the network
This address can be spoofed
Must compile, maintain, and distribute a list of valid MAC
addresses to each access point
Not a valid solution for public applications
Enterprise Risk Management - Proprietary
15
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Service Set ID (SSID) and Extended SSID (ESSID)
SSID/ ESSID is the network name for a wireless network
WLAN products common defaults: “101” for 3COM and “tsunami” for
Cisco
Can be required to specifically request the access point by name (lets
SSID act as a password)
The more people that know the SSID, the higher the likelihood it will be
misused.
Changing the SSID requires communicating the change to all users of
the network
Enterprise Risk Management - Proprietary
16
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Wired Equivalent Privacy (WEP)
Designed to be computationally efficient, self-synchronizing, and
exportable
Vulnerable to attack
–
–
–
Passive attacks to decrypt traffic based on statistical analysis
Active attacks to inject new traffic from unauthorized mobile stations, based
on known plaintext
Dictionary-building attack that, after analysis of a day’s worth of traffic,
allows real-time automated decryption of all traffic
All users of a given access point share the same encryption key
Data headers remain unencrypted so anyone can see the source and
destination of the data stream
Enterprise Risk Management - Proprietary
17
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Practical Attacks
WEP – Can be cracked passively
Masked ESSID – Can be passively observed in
management frames during association
Block null ESSID connects – Same problem
Install VPN – Weakly authenticated VPN is susceptible to
active attack (MITM)
Strong mutual authentication - ?
Enterprise Risk Management - Proprietary
18
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
The Network Layers
Enterprise Risk Management - Proprietary
19
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
The Bottom Layers
Manipulating the bottom 2 layers of the OSI
–
–
Data Link (Layer 2)
•
Media Access Control (MAC) – Access to medium
•
Logical Link Control (LLC) – Frame sync, flow control
Physical (Layer 1)
•
Radio bit stream
•
Divided into channels
Enterprise Risk Management - Proprietary
20
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
The Bottom Layers
Enterprise Risk Management - Proprietary
21
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Management Frames
Management frames can control link characteristics and
physical medium properties
802.11b management frames are NOT authenticated
–
Why is this bad?
Enterprise Risk Management - Proprietary
22
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – DoS
Denial of Service – De-authentication
–
Use MAC address of Access Point
–
Send deauthenticate frames
–
•
Send continuously
•
Send to broadcast address or specific MAC
Users are unable to reassociate with AP
Existing tools: Air-Jack + WLAN-Jack
Enterprise Risk Management - Proprietary
23
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – DoS
Airopeek Trace
Enterprise Risk Management - Proprietary
24
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – DoS
Decode of Deauthentication Frame
Enterprise Risk Management - Proprietary
25
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – DoS
This was your connection
Enterprise Risk Management - Proprietary
This is your connection
26
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – ESSID
Is the ESSID a shared secret?
If I mask the ESSID from the AP beacons then
unauthorized users will not be able to associate with my
AP?
Discover Masked ESSID
–
–
Send a deauthenticate frame to the broadcast address.
Obtain ESSID contained in client probe request or AP probe
response.
Enterprise Risk Management - Proprietary
27
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – ESSID
Airopeek Trace
Enterprise Risk Management - Proprietary
28
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – MITM
MITM Attack
–
Taking over connections at layer 1 and 2
–
Insert attack machine between victim and access point
Enterprise Risk Management - Proprietary
29
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – MITM
Dangers of wireless MITM
–
–
–
Wireless networks are more vulnerable to MITM attacks than wired
networks.
Many security solutions are implemented with an assumption of a
secure layer 1 and 2
Many VPN solutions are implemented with inadequate
authentication for protection against wireless MITM attacks.
Enterprise Risk Management - Proprietary
30
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – MITM
Deauthenticate victim from real AP
–
Send deauthenticate frames to the victim using the access point’s
MAC address as the source
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with fake AP on the attack
machine
–
–
Fake AP is on a different channel than the real one
Attack machine’s fake AP is duplicating MAC address and ESSID
of real AP.
Enterprise Risk Management - Proprietary
31
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – MITM
Attack machine associates with real AP
–
Attack machine duplicates MAC address of the victim’s machine.
Attack machine is now inserted and can pass frames
through in a manner that is transparent to the upper level
protocols, just like a proxy.
Enterprise Risk Management - Proprietary
32
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Attack Scenarios – MITM
Before
After
Enterprise Risk Management - Proprietary
33
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Wireless Best Practices
Enable WEP - Wired equivalent privacy
–
Key rotation when equipment supports it
Disable broadcast of ESSID/ SSID
Block null ESSID connection
Restrict access by MAC address
Use VPN technology
Use strong mutual authentication
Enterprise Risk Management - Proprietary
34
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Mitigation Strategies
Big guy with a stick
Wireless IDS and Monitoring
–
AirDefense http://www.airdefense.net
Search and Detect (destroy?) rogue APs
VPN + Strong mutual authentication
RF Signal shaping – Avoiding signal leaks
–
Antennas with directional radiation pattern
–
Lower Access Point power
Enterprise Risk Management - Proprietary
35
Wireless LAN Security
Enterprise Risk Management
Miami, FL
September, 2003
Summary
Wireless networks are more susceptible to active attacks
than wired networks.
Enable all built-in security capabilities.
Use VPN with strong mutual authentication.
Monitor wireless network medium (air space) for suspicious
activity.
Enterprise Risk Management - Proprietary
36
Related documents
POSITION DESCRIPTION - Walton County School District
POSITION DESCRIPTION - Walton County School District
ZigBee Based Intelligent Helmet for Coal Miners
ZigBee Based Intelligent Helmet for Coal Miners
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
KWB-1111 IEEE 802
KWB-1111 IEEE 802
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
wireless - Home and Learn
wireless - Home and Learn
8th Semester Course Outcomes
8th Semester Course Outcomes
TechnoCom Selected to Speak at 86th Annual TRB Meeting
TechnoCom Selected to Speak at 86th Annual TRB Meeting
Download
advertisement