NETW 05A: APPLIED WIRELESS
SECURITY
General Policy
By Mohammad Shanehsaz
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
General Topics
Objectives
Getting Started
Risk Assessment
Impact Analysis
Security Auditing
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain necessary items to include in
the creation and maintenance of a
WLAN security checklist
Describe and recognize the important of
asset management and inventory
procedures for WLANs
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain the importance of including WLANs in
existing change management programs
Explain the purpose and goals of the
following WLAN security policies:






Password policy
User training
On-going review (auditing)
Acceptable use and abuse policy
Consistent implementation procedure
Centralized implementation and management
guidelines and procedures
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Locate and identify WLANs within and around
a facility




Explain the assets to be protected through
securing a WLAN
Explain and demonstrate the inherent weaknesses
in WLAN security
Given a WLAN attack scenario, explain and
respond to the attack
Given a WLAN configuration, explain and
implement all the necessary steps for securing the
WLAN
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Perform an impact analysis for a series of
WLAN attack scenarios which may include the
following methods of attack








Analysis, spoofing and information theft
Denial of Service
Malicious code or file insertion
Target profiling
Peer-to-peer hacking
Physical security
Social engineering
WLAN hacking hardware and software
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Summarize risks to wired networks from
wireless networks
Summarize the security policy related to
wireless public-access network use
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless LAN security policy
Wireless LAN security policy falls into
two categories:


General policy ( Items that do not fall into
specific technical category e.g. corporate
networking )
Functional policy
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Categories of General Policy
Getting Started
Risk Assessment
Impact Analysis
Security Auditing
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Getting Started
Obtain organizational sponsorship!
CEO or CIO
Wireless implementation must be part of a security plan
addressing:

Resources
 control access
 prevent unauthorized users
 limit consumption of wireless network resources (e.g. bandwidth)

Privacy
 control access
 prevent unauthorized users
 protect confidential or sensitive death

Intrusion
 monitor the environment
 allows detection of unauthorized access or activities
 respond with appropriate security measures
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Getting Started
Include input from:





End users
Network operations team
Financial people
Management
Independent/ external auditor
Among the key decisions:




What items will the policy cover?
How will the policy be enforced?
How will the policy be implemented?
How user-friendly should the policy be?
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Getting Started
General templates on corporate security
policy can be found at :
http://www.sans.org/resources/policies/
Your textbook has included a wireless
LAN security policy template in
Appendix A
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Risk Assessment
Examine each possible scenario which
may lead to loss of $ due to negative
events
Rank predicted losses (level of severity)
For each scenario make decisions on $effective responses to


Eliminate risks
Mitigate risks
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Risk Assessment’s four themes
What
What
What
What
assets are we trying to protect ?
are we trying to prevent ?
is company’s legal liabilities?
is the cost ?
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Risk Assessment’s four themes
All 4 themes require analysis prior to creating
a security
Asset Protection


What assets must be protected?
What are the costs/legal ramifications if these
asset are compromised?
Threat Prevention


What is the organization trying to protect by
securing the network?
What kinds of attack, theft or breach of security
are likely?
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Risk Assessment’s four themes
Legal Liabilities



What is an organization legally responsible for if the network is
compromised or used to negatively impact another organization?
What legal protection does a company have?
Can the organization lose privileges (Internet service) due to abuse
by intruders (spam)?
Costs




What are the costs associated with securing the wireless network?
Are security costs worth the investment, considering the risks, in
implementing a WLAN?
If the network is compromised, what could the potential costs be?
How does the potential cost of infiltration and compromise weigh
against the costs associated with securing the network?
May be external or internal auditors
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Asset Protection
Whether they know it or not - all
organizations have data worth
protecting
Must educate and enlighten
management
What we are trying to protect are:


Sensitive Data
Network Services
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Sensitive Data
means different things to different
organizations
Determine what is important to protect
- at all levels
security professional must work with
management to


Ensure appropriate data is being protected
what degree of protection is required
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Sensitive Data
Types of sensitive data




Intellectual property
Trade secrets
Formulas
Customer Data
 Identity information
 credit card information
 health information
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Network Services
undermined network availability
critical network services include:








Email
file services
database services
directory services
Internet connectivity
web-based applications
virus/intrusion detection
custom applications
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Threat Prevention
when using WLANs, need to consider many
threats
Consider probability of threat
Process
Types of attacks
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Process
identify vulnerabilities
asses likelihood of compromise
determine



How to proceed
How much to spend
Where to spend it
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Types of attacks
( What we are trying to prevent )
Denial of Service (DoS)


RF Jamming
Packet Flooding
Equipment Damage, Theft, or Replacement

DEFENSE: Prioritized($) asset protection
Unauthorized Access


Access Point can be configured numerous ways
DEFENSE:
Credit Card Fraud


Organizations may protect from Internet-based attacks, but
forget about local hackers
DEFENSE: Encryption
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Types of attacks
( What we are trying to prevent )
Identity Theft


Information stored includes:
DEFENSE: Encryption, VLANs
Corporate Secrets
Personal Information Exposure
Malicious Data Insertion



Viruses
Invalid data
Illegal/ unethical content
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Legal Liabilities
Third Party Attacks


Organizations network used for third party attack
(e.g. SPAM)
Result
 Loss of access
 Legal Liability
 Other
Illegal Data Insertion


Pirated software
web-site defacement
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Costs
People


Employees or Contractors
Consultants - expensive, but may be worth the $
Training

For:








End users
Administrators
Physical security personnel
Network security personnel
Management
Installation and configuration
Network Operations Training
End-user Training
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Costs
Equipment
Time
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Impact Analysis
An Impact Analysis identifies the degree of
potential loss that could occur if an attack
occurs, the risk includes:



Risk to wired network from wireless LAN segment
Risk of using wireless public access networks
Legal Implications of a successful intrusion
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Must ask the following question:
If a malicious hacker were to gain
access to the most precious asset of a
company, what would be the damage to
the company?
Worst case scenario
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Must:
Identify threats
Measure impact

Direct financial terms
 e.g. Lost sales due to outages

Indirect financial terms
 e.g. Reputation
 Regulatory
 Loss of customer confidence


Exposure / exploitation of private information
Consider:




Scenario
Intent of hacker
Organizational response
Value of Assets
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Legal Implications
To truly understand the impact of
information theft or the insertion of
malicious information consider,


Dollar Amount
Legal liabilities
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Security Auditing
Need to conduct periodic security
reviews / audits
Modifications or additions to the
network might create new security
holes
Independent Testing
Sources of Information
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Need to conduct periodic
security reviews / audits
Low risk - once per year
Larger network/ sensitive data quarterly or more
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Independent Testing
May want to use consultants for:


Design
After installation
Fresh perspective
Role




Use only as necessary - keep to a minimum
aid in design
locate weaknesses in existing security solutions
aid in network redesign
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Sources of Information
Hackers



May not be malicious
May report vulnerability to the organization
Advice
 Acknowledge their help
 Fix the problem
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.