wireless network security -...
TRANSCRIPT
Why wireless?
Wifi, which is short for wireless fi …
something, allows your computer to
connect to the Internet using magic.
-Motel 6 commercial
2
… but it comes at a price
Wireless networks present security risks far above
and beyond traditional wired networks
Rogue access points
Evil twins
Packet-based DoS
Spectrum DoS
Eavesdropping
Traffic cracking
Compromised clients
MAC spoofing
Ad-hoc networks
Man-in-the-middle
Grizzly bears
ARP poisoning
DHCP spoofing
War driving
IP leakage
Wired/wireless bridging
3
Agenda
5
Wireless Networks and Security
Attacking and defending WEP
Attacking and defending WPA/WPA2
Common defense techniques
Summary
Wireless Networks and Security
6
1) What are Wireless Networks?
• A wireless network is the way that a computer is connected to a router without a physical link.
2) Why do we need?
• Facilitates mobility – You can use lengthy wires instead, but someone might trip over them.
3) Why security?
• Attacker may hack a victim’s personal computer and steal private data or may perform some illegal activities or crimes using the victim’s machine and ID. Also there's a possibility to read wirelessly transferred data (by using sniffers)
Wireless Security Methods
7
Three security approaches:
1. WEP (Wired Equivalent Privacy)
2. WPA (Wi-Fi Protected Access)
3. WPA2 (Wi-Fi Protected Access, Version 2)
WPA also has two generations named Enterprise and
Personal.
WEP (Wired Equivalent Privacy)
8
Encryption:
40 / 64 bits
104 / 128 bits
24 bits are used for IV (Initialization vector)
Passphrase:
Key 1-4
Each WEP key can consist of the letters "A" through "F" and
the numbers "0" through "9". It should be 10 hex or 5 ASCII
characters in length for 40/64-bit encryption and 26 hex or 13
ASCII characters in length for 104/128-bit encryption.
WPA/WPA2 Personal
9
Encryption:
TKIP
AES
Pre-Shared Key:
A key of 8-63 characters
Key Renewal:
You can choose a Key Renewal period, which instructs the
device how often it should change encryption keys. The
default is 3600 seconds
Attacking WEP
10
• iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP (Address Resolution Protocol) requests to the target router
• macchanger – a tool that allows you to view and/or spoof (fake) your MAC address
• airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
• airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
• aireplay – a tool for forging ARP requests
• aircrack – a tool for decrypting WEP keys
How to defend when using WEP
11
Use longer WEP encryption keys, which makes the data analysis task more difficult. If your WLAN equipment supports 128-bit WEP keys.
Change your WEP keys frequently. There are devices that support "dynamic WEP" which is off the standard but allows different WEP keys to be assigned to each user.
Use a VPN for any protocol, including WEP, that may include sensitive information.
Implement a different technique for encrypting traffic, such as IPSec over wireless. To do this, you will probably need to install IPsec software on each wireless client, install an IPSec server in your wired network, and use a VLAN to the access points to the IPSec server.
Attacking WPA
12
• macchanger – a tool that allows you to view and/or spoof (fake) your MAC address
• airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
• airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
• aireplay – a tool for forging ARP requests ― Capture WPA/WPA2 handshakes by forcing clients to
reauthenticate
― Generate new Initialization Vectors
• aircrack – a tool for decrypting WEP keys (should be used with dictionary)
How to defend WPA
13
Passphrases – the only way to crack WPA is to sniff the password PMK associated with the handshake authentication process, and if this password is extremely complicated it will be almost impossible to crack
Passphrase Complexity – select a random passphrase that is not made up of dictionary words. Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals
Common defense techniques
14
Change router default user name and password
Change the internal IP subnet if possible
Change default name and hide broadcasting of
the SSID (Service Set Identifier)
None of the attack methods are faster or effective
when a larger passphrase is used.
Restrict access to your wireless network by
filtering access based on the MAC (Media Access
Code) addresses
Use Encryption
Network Admission Control (NAC)
Determines the users, their machines, and their
roles
Grant access to network based on level of
security compliance
Interrogation and remediation of noncompliant
devices
Audits for security compliance
16
Why Placing Firewalls in Multiple
Network Segments?
►Provide the first line of defense in network security infrastructures
►Prevent access breaches at all key network junctures
►WLAN separation with firewall to limit access to sensitive data and protect from data loss
►Help organizations comply with the latest corporate and industry governance mandates
Security Monitoring, Analysis and
Reporting System
►Monitor the network
►Detect and correlate anomalies (providing visualization)
►Mitigate threats
19
Monitoring, Anomalies, & Mitigation
Discover Layer 3 devices on network Entire network can be mapped Find MAC addresses, end-points, topology
Monitors wired and wireless devices Unified monitoring provides complete picture
Anomalies can be correlated Complete view of anomalies (e.g. host names,
MAC addresses, IP addresses, ports, etc.)
Mitigation responses triggered using rules Rules can be further customized to extend
MARS
Rogue Access Points
Rogue Access Points refer to unauthorized
access points setup in a corporate network
Two varieties:
Added for intentionally malicious behavior
Added by an employee not following policy
Either case needs to be prevented
21
Guest Wifi Benefits
Network segmentation
Policy management
Guest traffic monitoring
Customizable access
portals
24
Compromised Clients
Wifi Threat Security Concern Counter Measure
Ad-hoc Connections Wide-open connections
Unencrypted
Unauthenticated
Insecure
Pre-define ad-hoc policy
Concurrent wired/wifi
connection
Contaminating secure
wired environment
Concurrent wired/wifi
pre-defined policy
Disable wifi traffic if wired
detected
Access to unsecured wifi May lack authentication /
encryption
Risk of traffic cracking,
rogue network devices
Enforce Location based
policies.
Restrict allowed SSIDs
Enforce stronger security
policies
25