chapter 14 wireless attacks, intrusion monitoring and policy
DESCRIPTION
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy. 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN wireless Security. Exam Essentials. Understand the risk of the rogue access point. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/1.jpg)
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
• 802.11 Security Basics
• Legacy 802.11 security
• Robust Security
• Segmentation
• Infrastructure Security
• VPN wireless Security
![Page 2: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/2.jpg)
Exam Essentials• Understand the risk of the rogue access point.
– Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs.
• Define peer-to-peer attacks. – Understand that peer-to-peer attacks can happen via an access
point or through an ad hoc network. Explain how to defend against this type of attack.
• Know the risks of eavesdropping. – Explain the difference between casual and malicious
eavesdropping. Explain why encryption is needed for protection.• Define authentication and hijacking attacks.
– Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
![Page 3: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/3.jpg)
Exam Essentials• Explain wireless denial-of-service attacks.
– Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored.
• Understand the types of wireless intrusion solutions.– Explain the difference between a WIDS and a WIPS.
Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented.
• Understand the need for a wireless security policy.– Explain the difference between general and functional policies.
![Page 4: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/4.jpg)
Wireless Attacks• Portal to the wired network must be
protected– Limit unauthorized access
• Limit access to management consoles– Don’t want someone changing settings or
passwords
• Peer to peer– Watch out for unsecured netwroks
Pg 470
![Page 5: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/5.jpg)
Rogue Wireless Devices• Non-Authorized on the network
– Not controlled by admin
• Set up by hacker– To get access or passwords
• Set up by user– Ease of use
• Open an unsecured portal to wired network
• 802.1x can also help herePg 471
![Page 6: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/6.jpg)
Peer to Peer• Client attacking client on a WiFi network
– Ad-hoc or infrastructure
• On infrastructure network, you can disable client to client communications– Public Secure Packet Forwarding
• Beware of push to talk
Pg 472
![Page 7: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/7.jpg)
Eavesdropping• Easy to do• Casual
– Wardriving– Looking for wireless networks
• Netstumbler
• Malicious– Protocol analyzers and collection of data– Passive, cannot be detected by WIDS/WIPS– Use encryption to protect network
Pg 472
![Page 8: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/8.jpg)
Cracking!!• WEP has been cracked
• TKIP/CCMP are still secure
• Authentication Attacks– Some systems are less secure than others– Dictionary attacks– PSK is weak as well
• Will let hackers onto AP• Longer passphrases help
Pg 475
![Page 9: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/9.jpg)
MAC Spoofing• MAC Filtering is weak security
• Better than nothing
Pg 477
![Page 10: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/10.jpg)
Management Interface• Don’t let hackers configure your devices
• Disable unused interfaces– SNMP, Telnet, HTTP,
• Use more secure interface– SSH, HTTPS
• General policy is that management should be done from wired interface
Pg 478
![Page 11: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/11.jpg)
Wireless Hijacking• Attacker configures AP to mimic enterprise AP
– Same SSID
• Attacker can then capture traffic• Can then either set up for man in the middle
– Send “real” traffic on and capture details– Bridging the fake AP to real AP
• Also can use WiFi phishing– Setting up a false captive portal
Pg 479
![Page 12: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/12.jpg)
Denial Of Service• Prevent legitimate users from getting access• Hard to prevent
– Need to remove device generating noise/traffic
• Layer 1 jamming• Layer 2
– Deauthentication or deassociation packets– Flooding the AP with requests
• Spectrum Analyzer can help with layer 1• Protocol Analyzer will help with Layer 2
Pg 479
![Page 13: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/13.jpg)
Other Attacks• Vendor Specific
– Buffer overflow that attacks OS
• Social Engineering– Tricking someone into giving away information
• PSK!!!
Pg 481
![Page 14: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/14.jpg)
Intrusion Monitoring• Wireless Intrusion Detection Systems
(WIDs)
• Wireless Intrusion Prevention Systems (WIPS)– Can mitigate or respond
Pg 481
![Page 15: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/15.jpg)
WIDS• Wired ports must be controlled
– Prevent rogue APs
• WIDS often go up before network– Check for rogue APs and usage
• WIDS server
• Management Console
• Sensors
Pg 482
![Page 16: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/16.jpg)
WIDS Sensors• Dedicated AP like devices that listen and
report back to the management console/server
• Can also be APs set into sensor mode– Or APs that scan as well as process traffic
Pg 482
![Page 17: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/17.jpg)
WIDS Sensors
Pg 482
![Page 18: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/18.jpg)
WIDS• Best at watching for layer 2 attacks
• Can set alarms for “risky” traffic
• Set thresholds– Different alert types
• Overlay
• Integrated
• Integration enabled
Pg 482
![Page 19: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/19.jpg)
WIPS• Infrastructure device
– This classification refers to any client station or access point that is an authorized member of the company’s wireless network. A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s radio card MAC addresses into the system.
• Unknown device – The unknown device classification is assigned automatically to any new
802.11 radios that have been detected but not classified as rogues. Unknown devices are considered interfering devices and are usually investigated further to determine whether they are a neighbor’s devices or a potential future threat.
• Known device – This classification refers to any client station or access point that is
detected by the WIPS and whose identity is known. A known device is initially considered an interfering device. The known device label is typically manually assigned by an administrator to radio devices of neighboring businesses that are not considered a threat.
Pg 485
![Page 20: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/20.jpg)
WIPS• Rogue device
– The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure.
• If a client is classified as a rogue, the WIPs can mitigate attack– Deauthenticate, deassociate– Spoof MAC of Rogue
Pg 485
![Page 21: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/21.jpg)
WIPS• Rogue device
– The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure.
• If a client is classified as a rogue, the WIPs can mitigate attack– Deauthenticate, deassociate– Spoof MAC of Rogue– Use SNMP to disable the wired port it is connected to
Pg 485
![Page 22: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/22.jpg)
Mobile WIDS• Laptop Version of the products
• Mobile capabilities– Radio Card is sensor
• Use to physically track down a Rogue AP– Some layer 1 functionality built in
Pg 485
![Page 23: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/23.jpg)
Spectrum Analyzer• Use for security as well as surveys
• Many can look at the RF signature and tell you what kind of device it is
• Mobile and distributed– Like WIDs
Pg 487
![Page 24: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/24.jpg)
Wireless Security Policy• How and what are you monitoring
• How often should PSKs change
Pg 487
![Page 25: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/25.jpg)
Wireless Security Policy• General Security Policy
• Functional Security Policy
• Legislative Compliance
Pg 487
![Page 26: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/26.jpg)
Policy Recommendations• General Security Policy
• Functional Security Policy
• Legislative Compliance
Pg 490
![Page 27: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/27.jpg)
Exam Essentials• Understand the risk of the rogue access point.
– Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs.
• Define peer-to-peer attacks. – Understand that peer-to-peer attacks can happen via an access
point or through an ad hoc network. Explain how to defend against this type of attack.
• Know the risks of eavesdropping. – Explain the difference between casual and malicious
eavesdropping. Explain why encryption is needed for protection.• Define authentication and hijacking attacks.
– Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
![Page 28: Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy](https://reader036.vdocuments.net/reader036/viewer/2022062408/568132ac550346895d9958c4/html5/thumbnails/28.jpg)
Exam Essentials• Explain wireless denial-of-service attacks.
– Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored.
• Understand the types of wireless intrusion solutions.– Explain the difference between a WIDS and a WIPS.
Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented.
• Understand the need for a wireless security policy.– Explain the difference between general and functional policies.