View
109
Download
0
Category
Preview:
DESCRIPTION
Wireless LAN Deployment Best Practices presentation for ISACA Singapore 2005/08/19
Citation preview
Wireless LAN Deployment Best Practices
Michael Boman
IT Security Researcher & Developer
http://proxy.11a.nu | proxy@11a.nu
What We Will Cover
• Wireless Concepts
• Security Issues with Wireless Networks
• Attacks against Wireless Networks
• Countermeasures
• Q & A
Wireless Basics
• 802.11 - “WiFi” networks are typically implemented as either a standalone network solution, or to extend the capabilities of an existing wired network.
• The most common wireless configurations found today are:– Ad Hoc– Infrastructure modes
Terminology
• Frame – data transmitted by the physical medium
• Access point – a device attached to wired network providing wireless access to users
• Service set – a series of access points working in conjunction to provide access
• SSID – string identifying a service set
• BSSID – MAC address of AP in question
The different 802.11 Standards
• 802.11b – Operating in the 2.4 GHz band– Maximum theoretical data rate of 11 Mbps– In a typical office environment, its maximum
range is 75 meters at the lowest speed, but at higher speed its range is about 30 meters.
The different 802.11 Standards
• 802.11a – Operating in the 5 GHz band– Maximum theoretical data rate of 54 Mbps– In a typical office environment, its maximum
range is 50 meters at the lowest speed, but at higher speed, the range is less than 25 meters.
The different 802.11 Standards
• 802.11g – Operating in the 2.4 GHz band– Maximum theoretical data rate of 54 Mbps– Backward compatibility with 802.11b
• 802.11i– Supplemental draft standard is intended to
improve WLAN security.– Describes the encrypted transmission of data
between systems of 802.11a and 802.11b WLANs.
– Defines new encryption key protocols including the Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES).
The different 802.11 Standards
The different 802.11 Standards
• 802.1X – IEEE standard for access control for wireless
and wired LANs, 802.1X provides a means of authenticating and authorizing devices to attach to a LAN port.
– This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network.
Concepts of the 802.11 MAC layer
• Three types of frames– Management
• Access control: authentication, association• Media detection: beaconing, probing
– Data• Transmit higher layer data to or from access point
– Control• Acknowledge receipt of data frames• Reserve media for long frame exchanges
Concepts of the 802.11 MAC layer
• Client authenticates to a service set– Before access, not throughout– Shared secret key or no key
• Client associates to an access point
• Clients disassociate with an AP, re-associate with another as they move
Ad Hoc Networks
• Also referred to as “Independent Basic Service Set” (IBSS)
• Provides peer-to-peer communication links between two or more wireless devices without the use of an AP
• This is the default setting on most wireless cards
Ad Hoc mode or IBSS configuration
CELL
Wireless Laptop Computers
Infrastructure Networks
– Also known as “Basic Service Set” (BSS)– Requires an Access Point and at least one
wireless client– Connections are initiated with the proper
Service Set Identifier (SSID) - Shared secret manually entered on the AP and each client (Not scalable)
– Sometimes Wired Equivalent Privacy (WEP) encryption keys are also configured (Used about 30% of the time)
Infrastructure mode or BSS configuration
InternalLAN
InternalLAN
Wireless Access Point
Wireless Laptop Computer
Wireless Laptop Computer
Security Issues
Antenna Signal
• Walls and doors do not provide sufficient containment of the wireless signal. An Access Point (AP) placed inside a typical office can transmit a signal anywhere up to 300 meters. – 100 meters in any direction will usually put you on a
road, in a neighboring office or parking lot.– Vertical threats such as offices above and below
should also be taken into consideration when selecting your AP’s location.
– Hackers will War-Drive at lunch looking for AP’s used in conference rooms.
Antenna Signal
• An attacker can compensate your weak signal by using a directional antenna and/or amplifier
• At DefCon 13 earlier this month, a group of enthusiasts was able to set up an un-amplified 802.11 network at a distance of 201 km.
802.11 Design Flaws
• MGMT, CTRL frames not encrypted– Can be spoofed w/o knowledge of WEP key
• Weak authentication of station– Easy to get access to wireless medium
• No authentication of AP to station– Can prove an AP is legitimate
• Limited # of stations can use a single AP– We can overflow an AP to prevent wireless
access
SSID
• Some believe that by using a complicated SSID an unauthorized user will have difficulty in gaining access to their AP.– SSID’s are passed in the clear, even when
WEP is enabled.– It is a trivial matter to download free software
off the Internet that is designed to intercept SSID’s from a wireless communication session.
SSID
SSID
Access Control
• Access Control at the MAC (Media Access Control)
• Most administrators feel that MAC layer filtering provides adequate security by allowing clients with non-restricted MAC addresses to connect to the wireless network.
• MAC addresses are passed in the clear• MAC addresses can easily be changed
Wired Equivalent Privacy (WEP)
• Should be “What on Earth does this Protect”
• Provides encryption to data frames only
• Probably fine on small, limited use networks
• Don’t depend on it for data security
• WEP gives administrators a false sense of security.
Wired Equivalent Privacy (WEP)
• Even when WEP is properly configured and deployed on a wireless network, it is still a trivial matter to break the encryption and gain access to the AP.– WEP keys are static and configured manually
(Not a scaleable solution)– WEP requires the same secret key be shared
by all wireless users within the cell– Free software on the Internet is available that
is used to crack the encryption
Wi-Fi Protected Access (WPA)
• The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 wireless LANs.
• WPA is an pre-standard version of 802.11i utilizing the Temporal Key Integrity Protocol (TKIP), which fixes the problems of WEP (including using dynamic keys).
• WPA will serve until the 802.11i standard is ratified.
Extensible Authentication Protocol (EAP)
• EAP is an 802.1X standard that allows developers to pass security authentication data between RADIUS and the access point (AP) and wireless client.
• EAP has a number of variants, including: – EAP MD5– EAP-Tunneled TLS (EAP-TTLS)– Lightweight EAP (LEAP)– Protected EAP (PEAP).
User Network Access Controls
• One area that is commonly overlooked is the ability to regulate internal network access.– Most users have varying levels of access to
internal resources.– All wireless users could potentially be entering
the network by the same wireless AP.
Business Risks of Wireless LANs
• A wireless attacker could affect you business in the following ways:– Ability to destroy data– Ability to steal proprietary data from client
workstations and servers– Disruption of network service through corruption of
network devices
• RISK: Inability to meet core business and customer needs that could lead to loss of revenue
Security Risks INTRODUCED by Wireless Technology
• Rogue Access Points
• Clients Communicating in Ad Hoc Mode
Computerworld survey estimate at least 30 percent of businesses have rogue wireless LANs.
Rogue Device Threat
Can make your network vulnerable…• Even with a secure wireless network• Even if you have no wireless network• Both Access Points and Clients are
dangerous
Goal• Protect network jacks• Identify unauthorized wireless devices
• Placing an AP on the inside of your network will extend its access past any physical barriers or controls. – AP are small and only take a few minutes to
connect to your internal network – The level of sophistication needed to install an
AP is low
Rogue Access Points
Denial of Service
• A user with malicious intent could configure a client to bombard the AP with thousands of connection requests eventually leading to the complete shutdown of the targeted AP.
• RF noise generation – Arc Welder – homemade jamming device
• Eventual saturation of RF devices – Bluetooth, 802.11b and g devices, etc.
Security Risks of Wireless LANs
• Easier for unauthorized devices to attach to wireless network– Don’t need physical access– Many organizations don’t apply security– Presence of free wireless hacking tools
• Internal systems are usually not as secure as external or DMZ systems
Wireless is insecure by its very nature
The point?
Tools of the Trade
Hardware
Wireless Card and Antenna
Hardware
War-Driving Rig – Laptop, wireless card and Antenna
Software
• Types of Monitoring tools– Stumbling– Sniffing– Handheld
• Hacking tools– WEP Cracking– ARP Spoofing
Stumbling Tools
Stumbling tools identify the presence of wireless networks. They look for beacons from access points, and also broadcast client probes and wait for access points to respond.
Sniffing Tools
Sniffing tools capture the traffic from a wireless network and can view the data passed across the air.
Handheld Tools
Handheld tools are more portable and provide wireless network identification and network status monitoring.
Hacking Tools
Hacking tools are for pointed attacks to gain access to secured wireless networks.
Attacks against Wireless Networks
Leeching access
• Easy to do– Laptop and wireless card– Scanning tools help, but not required
• Hard to track down– Who wants / can afford to triangulate a signal?
• Biggest security implication– Joe Kiddie (not Osama) can run scans & exploit hosts– Won’t get traced back to daddy’s cable modem
• But admins can “cripple” wireless segment– Rate limiting– Filter naughty packets
Wireless Auto Configuration Algorithm
• First, Client builds list of available networks– Send broadcast Probe Request on each
channel
Wireless Auto Configuration Algorithm
• Access Points within range respond with Probe Responses
Wireless Auto Configuration Algorithm
• If Probe Responses are received for networks in preferred networks list:– Connect to them in preferred networks list order
• Otherwise, if no available networks match preferred networks:– Specific Probe Requests are sent for each preferred network in case
networks are “hidden”
Wireless Auto Configuration Algorithm
• If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node– Use self-assigned IP address (169.X.Y.Z)
Wireless Auto Configuration Algorithm
• Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected
• Otherwise, wait for user to select a network– Continue scanning for networks
Attacking Wireless Auto Configuration
• Attacker spoofs disassociation frame to victim• Client sends broadcast and specific Probe
Requests again– Attacker discovers networks in Preferred Networks list
(e.g. linksys, MegaCorp, t-mobile)
Attacking Wireless Auto Configuration
• Attacker creates a rogue access point with SSID MegaCorp
Attacking Wireless Auto Configuration
• Victim associates to attacker’s fake network– Even if preferred network was WEP (XP SP 0)
• Attacker can supply DHCP, DNS, …, servers
Wireless Auto Configuration Attacks
• Join ad-hoc network created by target• Sniff network to discover self-assigned IP (169.X.Y.Z) and attack
• Create a more Preferred Network• Spoof disassociation frames to cause clients to restart scanning
process• Sniff Probe Requests to discover Preferred Networks• Create a network with SSID from Probe Request
• Create a stronger signal for currently associated network• While associated to a network, clients sent Probe Requests for
same network to look for stronger signal
You can be 0wned (=compromised) while watchinga DVD on a plane!
A Tool to Automate the Attack
• Track clients by MAC address– Identify state: scanning/associated– Record preferred networks by capturing Probe
Requests– Display signal strength of packets from client
• Target specific clients and create a network they will automatically associate to
• Compromise client and let them rejoin original network– Connect back out over Internet to attacker– Launch worm inside corporate network– Etc.
Creating An ALL SSIDs Network
• Can we attack multiple clients at once?• Want a network that responds to Probe
Requests for any SSID• PrismII HostAP mode handles Probe Requests
in firmware, doesn’t pass them to driver• Atheros has no firmware, and HAL has been
reverse engineered for a fully open-source “firmware” capable of Monitor mode, Host AP
Creating a FishNet
• Want a network where we can observe clients in a “fishbowl” environment
• Once victims associate to wireless network, will acquire a DHCP address
• We run our own DHCP server– We are also the DNS server and router
FishNet Services
• When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action
• Our custom DNS server replies with our IP address for every query
• We also run “trap” web, mail, chat services– Fingerprint client software versions– Steal credentials– Exploit client-side application vulnerabilities
Client-Side Application Vulnerabilities
• Recent client-side vulnerabilities– Vulnerability in Plug and Play Could Allow Remote
Code Execution and Elevation of Privilege– Vulnerability in JView Profiler Could Allow Remote
Code Execution– Vulnerability in Microsoft Color Management Module
Could Allow Remote Code Execution– Vulnerability in Server Message Block Could Allow
Remote Code Execution– …
• Exploits can make use of fingerprinting info
Beating access control
• MAC address spoofing– Sniff or brute force legitimate MAC addresses– Return and use those addresses later
• Crack WEP key w/ known tools (hours, days)– Or just find one among the multitude of
available APs without WEP…
Denial of service
• Forge disassociations– Deny an individual station access– Used also to hijack sessions
• Forge lots of associations– Saturate an access point– Access point will stop accepting associations
• Forge lots of beacon frames– Creates illusion of access points that don’t exist– Can also throw off a war driver seeking access
Session hijacking
• Disassociate client
• Take over any desired existing network sessions
• New venue for known transport session hijacking
Man in the middle
• Impersonate an access point
• Tamper with data
• Pass on to legitimate access point
• Implemented SSH, SSL and other MITM also have new venue on 802.11
Home Users
Wireless Access Point
Hack-me
Hack-me
Corporate Networks
Wireless Access PointWireless Hacker Switch
Accounting Payroll
Corporate Networks
Wireless Access PointWireless Hacker Switch
Accounting Payroll
ARP Cache Attacks can also be launched against:
• Wireless Clients connected to the AP
• Wireless Clients and Wired Clients
• Wireless Home Users (Couch Networks)
• And may other combinations
Corporate Networks
Telecommuters
Internet
Employee
Attacker
Countermeasures
SEC- -Y
If not you, who? If not now, when?
The key to security awareness is embedded in the word security…
Countermeasures
• Holistic Approach– Prevention– Identification– Response
Prevention
• Create a completely separate wireless security policy
• Do a complete Site Survey before placement of AP’s
• Wireless networks should always be treated as un-trusted and never placed behind corporate firewalls
• Use MAC layer filtering • Be sure to change the SSID from the default
value and disable broadcasting if possible
Prevention
• Use encryption, even WEP - (Low hanging fruit theory)
• Static IP’s vs DHCP• Use third party software for additional security –
Authentication, VPN encryption• Use personal Firewall software on and anti-
malware your wireless clients systems• Install the latest security patches and firmware
updates on you wireless equipment
Prevention
• Do regular audits of deployed wireless equipment
• Perform regular sweeps for un-authorized wireless equipment
• Perform regular Penetration Tests against your whole infrastructure, including the wireless segments (alternative: concentrate on perimeter and wireless segments)
Identification
• Deploy Wireless IDS sensors • Identify your signal range – clients with
antennas can pick up you signal further away than without one
• Periodically scan your facility for rouge access points using the same software attackers are using
• Check your internal logs for strange anomalies concerning MAC addresses
Response
• Have an adequate response plan in place to deal with malicious activity
• Have the ability to log activity of a malicious user to aid in prosecution
• Have the ability to control and reconfigure your Access Points on the fly
Countermeasures - Antenna Signal
• Proper selection of Antenna – Parabolic, etc. • Attenuate the signal by reducing transmitter
power if possible• Ground interior walls (If metal construction)• Thermally Insulate exterior glass using metallic
window treatments• Smart positioning of AP’s• Lining closets housing the AP with aluminum foil • Use of metallic paints – Extreme
Countermeasures - SSID
• Turn off SSID broadcasting at the AP if possible (Not all AP vendors allow this)
• Understand that SSID’s provide “Zero” security
• Avoid using a SSID that gives away information about your network. (“TaxNet1” or “Kennedy:Mailroom”)
Countermeasures - MAC ACL
• Do not depend on MAC layer filtering as your only security solution for providing secure AP access
• Use Intrusion Detection Servers (IDS) to alert you when an excessive number of unsolicited ARP replies are detected on the network
• Use the tool “arpwatch” - This tool will provide E-mail notification when IP to MAC bindings change.
Countermeasures - WEP
• Proprietary solutions offered by certain vendors are all incorporating dynamic key management into their products. (Cisco, Enterasys, AVAYA, etc.) Be careful not to commit yourself to a single vendor specific solution.
• Use IPSec VPN software• EAP/802.1X Extensible Authentication Protocol
(EAP) to provide centralized authentication – (RADIUS, etc.) and dynamic key distribution
Countermeasures - User Access Control
• Use multiple AP’s to access different segments of the network each with a unique SSID’s.
• Use a third party VPN solution to connect the users to the appropriate network segment. – This solution can be used through a single AP
for all users. Each user would be routed internally to the appropriate VPN endpoint within the corporate network.
Countermeasures - Access Point (AP)
• Update your corporate policy to prohibit the installation an AP without the approval of internal security or the IT department
• Always place AP’s outside a firewall, inside a DMZ, or within a sandbox network.
• Disable unused ports on the internal switches until needed (especially in conference rooms)
• Monitor any new MAC address’s on the internal network that are discovered – “ArpWatch”
Countermeasures - DOS
• Shield the perimeter of your building
• This will help in two ways:– Help contain your wireless signal within a
defined perimeter– Reduce the risk of outside RF interference
Wireless can be Secure
• Apply all security features of products• Require Authentication and Authorization and
Encryption• Use the same well known network security
solutions as wired networks including:– Network segmentation – Use of personal firewalls– Well defined, trainable, and enforceable security
policy
• Perform Wireless Security Monitoring
Putting it all together
Wireless Access PointWireless Laptop Computer Firewall
VPN GatewayAuthenticationServer
IDS
InternalLAN
InternalLAN
WIDS
WIDS
With personal Firewall &VPN Software
WEP
MAC Filtering
Unique SSID (If Broadcasting is
not disabled)
IP Protocol 50,51
UDP port 500
Questions?
Recommended