wireless network configuration guide

Configuring your wireless home network – A user’s guide A document of actions, instructions, and guidelines

October 2013

Version 2.0

©2013 Xerox Corporation. All rights reserved. Xerox® and Xerox and Design® are trademarks of Xerox Corporation in the United States and/or other countries. BRXXXXX

Linksys is a registered trademark of Cisco Systems, Inc.

Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions.

Document Version: 2.0 (October 2013).

The Xerox Information Security Office (XISO) site may be viewed at: https://team.thehub.xerox.com/sites/XISO/SitePages/XeroxHome.aspx

XISO can be reached at [email protected]

Xerox Internal Use Only

Table of Content

1 Overview .......................................................................... 1-2

Support ...................................................................................................... 1-2

Scope ........................................................................................................ 1-2

2 WEP Wireless Vulnerabilities and Exploits ...................... 2-3

Passive wireless attacks ........................................................................... 2-3

Active Wireless Attacks ............................................................................. 2-3

Negligence / Misconfiguration ................................................................... 2-3

Wired Network Attacks .............................................................................. 2-4

Specific Wireless Vulnerabilities ................................................................ 2-4

No forgery protection ................................................................................. 2-4

No protection against replays .................................................................... 2-4

Reusing initialization vectors ..................................................................... 2-5

3 TKIP Vulnerabilities and Exploits ..................................... 3-6

4 Security configuration guidelines ..................................... 4-7

Summary checklist .................................................................................. 4-12


1 Overview

Wireless vulnerabilities are a serious problem for Xerox, and our goal is to reduce information risk globally by helping you to properly configure your wireless home network and devices; thus helping you remove risks that you may inadvertently be adding to Xerox's network health. The purpose of this document is to help Xerox employee’s setup and configure a secure home wireless network. Before doing so, take some time to become familiar with the InfoSec 001 Information Security Policy and Xerox Information Security Standards (XISS) documents. The following sections will discuss the risks involved with wireless networks and how to properly configure a home wireless network.

Support The recommendations provided in this user’s guide are “guidelines” and may not apply to all variations of home networks. Support for any issues associated with home user networks are the responsibility of the individual employee. Employees who have home networks should not contact Xerox or Xerox Services for support. Employees with home networks are solely responsible for their support. If a Xerox employee calls the helpdesk (IT support@Xerox - http://itsupport.xerox.com/index.aspx) in regards to a wireless issue with their home network, a time and materials charge will be applied to Xerox from IT support@Xerox - http://itsupport.xerox.com/index.aspx.

Scope The scope of this document is to provide the proper way to configure a home wireless network that includes specific security controls that reduce and or potentially eliminate the risk of compromise or exploits relative to the devices that comprise the wireless home network however, detailed exploits will not be covered and or explained within this document.

Configuring your wireless home network


2 WEP Wireless Vulnerabilities and Exploits

Before you begin the process of configuring your wireless home network, it is important to understand the threats and risks that you are trying to protect against. There are five main classes of threats against a wireless network:

Passive wireless attacks A passive attack is one that gives an intruder access to information being exchanged between communicating end-points, constituting eaves dropping or theft. Passive attacks are non-intrusive and usually consist of an unauthorized person operating one of the many WiFi (Wireless Fidelity) sniffing packages available on the Internet. This person could be sitting in your parking lot, across the street from your home merely listening or capturing the Wireless Local Area Network (WLAN) traffic.

Active Wireless Attacks An active attack is when an intruder intends to alter, destroy, intercept or forcibly interact with the communication between the authorized WLAN devices. Such attacks would include, but are not limited to, network intrusion, data manipulation, session hijacking, denial of service, bandwidth theft, wireless, spam, and data theft. Active attacks are intentional acts that are usually done with malicious intent.

Negligence / Misconfiguration Negligence need not be intentional. It is important that the proper guidelines are followed and specific configurations are implemented by the end user in order to gain maximum protection. Additionally, wireless router firewall misconfiguration can potentially lead to home network exploit, exposure, and compromise. Ensure that the home wireless router firewall’s configuration is validated prior to saving changes.

2-4 Xerox Internal Use Only

Wired Network Attacks All of the traditional network risks are also present in the wireless world. Once the connection is made, the wireless client has a ‘presence’ on the ‘wire’ that may now be exploited. Exploits such as network browsing, port scanning, operating system flaws and exploits, denial of service attacks, application flaws and bugs, system, application, network access or wrong configurations are still viable security risks.

Specific Wireless Vulnerabilities These vulnerabilities are dependent on the system and are weaknesses to either passive or active attacks or both. Potential wireless vulnerabilities include: no real user identification and authentication, weak encryption methods, denial of service, access point eavesdropping (IP or router), unauthorized disclosure and/or modification of data by an unknown third party.

In addition to the above-mentioned classes, there is also a weakness of using Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP) as a means of security as noted below in the next section.

WEP has undergone much scrutiny and criticism that it may be compromised. What makes WEP vulnerable? The major WEP flaws can be summarized into three categories:

No forgery protection There is no forgery protection provided by WEP. Even without knowing the encryption key, an adversary can change 802.11 packets in arbitrary, undetectable ways, deliver data to unauthorized parties, and masquerade as an authorized user. Even worse, an adversary can also learn more about the encryption key with forgery attacks than with strictly passive attacks.

No protection against replays WEP does not offer any protection against replays. An adversary can create forgeries without changing any data in an existing packet, simply by recording WEP packets and then retransmitting later. Replay, a special type of forgery attack, can be used to derive information about the encryption key and the data it protects.



Reusing initialization vectors WEP enables an attacker to decrypt the encrypted data without the need to learn the encryption key or even resorting to high-tech techniques. While often dismissed as too slow, a patient attacker can compromise the encryption of an entire network after only a few hours of data collection.


3 TKIP Vulnerabilities and Exploits

What makes TKIP vulnerable? TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a number of similar attacks. The major TKIP flaws can be exploited with a number of different attack vectors that include Man in the Middle attacks (MITM), ARP poisoning attacks, denial of service, and other similar attacks. TKIP can be compromised due to message falsification, which utilizes MITM attacks which can leverage and forge encrypted short packets, (such as ARP packets and etc.). MITM attacks and the method for reducing the execution time of the attack can be accomplished and executed in about one minute.



4 Security configuration guidelines

This section will walk you through the 10 steps that are required to configure your wireless home network with the proper security controls. The screen shots provided are based upon a Cisco Linksys wireless router and are meant for illustration purposes only, not an endorsement of the vendor or product. Interfaces and configuration instructions will vary from product to product. Please refer to all router manufacturer or vendor documentation for actual setup and configuration.

1. Change the default administration router/access point password.

2. Change the access server from HTTP to HTTPS 3. Disable remote management. Remote management would

allow you to change your wireless configuration from a remote location (outside your home network). Enabling remote management can lead to a potential denial of service attack. Most manufacturers have remote management disabled by default.


4. You will also need to take into account the following in home devices:

a. Cordless phones on the same frequency b. Another wireless network nearby c. Microwaves d. House construction –walls, floors, wiring e. Location of objects within the house. Metal will block or

bounce the signals.

These devices can and may cause interference. As a user, if this occurs, change the default "Wireless Channel" if you experience connection drops on the WLAN connection. It is recommended to limit the number of users who can access the router. This can be done by limiting the number of IPs within the DHCP pool and scope.



5. Enable WPA2 and utilize AES encryption. Enable the highest bit level encryption as possible. AES block ciphers are generally 128, 192, and 256 bits respectively. In addition, make sure that the wireless client software is updated on a regular basis to ensure that the latest features are supported based on the access point/router product.

6. Enable WPA2-PSK. Ensure that the group key renewal is set to default or 600 seconds. If your router does not support WPA2-PSK it is strongly recommended to procure a new Wireless router / firewall product that supports WPA2 with AES encryption.


Note: As illustrated below as an example, a WPA2 AES enabled home wireless network (Linksys) versus an arbitrary wireless network that is not enabled with WPA2 AES.



7. Enable firewall protection, including “Filter Internet NAT Redirections”.

8. Wireless router location is key. Make sure your router is not near a window because your signal can radiate outside your home.

9. Review vendor sites periodically for firmware updates.

4-

SThn

W

2

3

4

5

6

-12 Xerox Intern

SummThe table bel

ave completetwork.

Wireless Co

1 Debe

2 AcHT

3 Re

4 Throu

5 ThwirDH

6 AE

nal Use Only

mary cow providested all of the

onfiguration

efault adminieen changed

ccess serverTTPS

emote mana

he default IP uter configur

he number ofreless accesHCP scope

ES encryptio

checkls a summarye recommend

n Step

istrator’s pasd

r has been c

gement has

Address to ration has be

f IP’s that cass has been

on and WPA2

ist y checklist thded steps to

ssword has

hanged to

s been disab

access the een changed

an gain limited by

2-PSK

hat should beo secure you

bled

d

e used to enur wireless h

nsure you home



authentication has been enabled

7 MAC filtering has been enabled

8 SPI Firewall has been enabled


5 Resources

Wireless Security for Home Networks http://www.sensible-computer-help.com/wireless-network-security.html

InfoSec 001 Information Security Policy This policy governs the protection of Xerox Information in any form, including verbal, electronic or hard copy, and in any media. It also applies to Xerox Information at any location, including in an employee's home, and stored or transmitted by any equipment or device, including equipment or storage media owned by another company or owned personally by an employee. In addition, this policy governs information protection measures required for Xerox Information that is originated, processed, transmitted, or stored in electronic form. It establishes rules for the use of protective measures and identifies the responsibilities of managers and employees of Xerox and Xerox Business Partners in protecting Xerox Information that exists in electronic form.

Xerox Information Security Standards (XISS) The Xerox Information Security Standards set forth in this document are designed to the Electronic Information System Security Policy, which establishes the rules of protective measure and identifies responsibilities for protecting information that exists in electronic form.

wireless network configuration guide

Documents