Upload
networksguy
View
1.090
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Wireless NetworkingWireless Networking Security Issues Security Issues
with the Implementation of with the Implementation of IEEE 802.11xIEEE 802.11x
Government Communications Security Bureau
FormatFormat
Introduction Introduction Wireless TechnologiesWireless Technologies IssuesIssues ThreatsThreats MitigationMitigation SummarySummary
IntroductionIntroductionWireless is an evolving security “headache”Wireless is an evolving security “headache”
• It’s a very convenient technology, so..It’s a very convenient technology, so..
• Wireless will be (& is) happening – regardlessWireless will be (& is) happening – regardless
• We can ignore it or deal with it …We can ignore it or deal with it …
• Current technology has issues, Current technology has issues,
• newer techniques may improve securitynewer techniques may improve security
• Users & Managers Users & Managers
• need to be fully aware of, andneed to be fully aware of, and not underestimate not underestimate the issuesthe issues
Common Wireless Common Wireless Protocols & StandardsProtocols & Standards
InfraredInfrared(W)CDMA / GPRS(W)CDMA / GPRSBluetoothBluetoothIEEE 802.11xIEEE 802.11x
What is What is 8802.11?02.11?
Wireless Local Area Network (WLAN) Wireless Local Area Network (WLAN) ProtocolProtocol
Defines Ethernet-like communication Defines Ethernet-like communication channel using radios instead of wireschannel using radios instead of wires
Advantages over other standards - longer Advantages over other standards - longer ranges, higher speeds, simpler ranges, higher speeds, simpler configurationsconfigurations
Key Features of 802.11Key Features of 802.11bb (Wi-Fi) (Wi-Fi)
Supports data rates of up to 11 Mbps at Supports data rates of up to 11 Mbps at distances of up to 150 metres using the distances of up to 150 metres using the 2.4 GHz spectrum .2.4 GHz spectrum .
Using a directional antenna, range can be Using a directional antenna, range can be extended as far as 14 kilometers. extended as far as 14 kilometers.
Supports up to 128 network devices. Supports up to 128 network devices.
Supports voice over IP (VoIP) data and Supports voice over IP (VoIP) data and voice networking capabilities. voice networking capabilities.
Key Features of 802.11Key Features of 802.11aa
Supports data rates of up to 54 Mbps at Supports data rates of up to 54 Mbps at distances of up to 100 metres using the 5 distances of up to 100 metres using the 5 GHz spectrum.GHz spectrum.
Using a directional antenna, range can be Using a directional antenna, range can be further extended. further extended.
Supports up to 128 network devices. Supports up to 128 network devices.
Supports voice and data networking Supports voice and data networking capabilities. capabilities.
IEEE 802.11IEEE 802.11gg
Higher rate extension to 2.4GHz bandHigher rate extension to 2.4GHz band up up to 54Mbpsto 54Mbps
Backwards compatible with 802.11b (g's Backwards compatible with 802.11b (g's slow down to b)slow down to b)
““Super G” = channel bonding up to Super G” = channel bonding up to 108Mbps108Mbps
802.11802.11a,b and ga,b and g Security FeaturesSecurity Features
Service Set Identifiers (SSIDs)Service Set Identifiers (SSIDs) a unique identifier attached to the header the packets a unique identifier attached to the header the packets
that acts as a passwordthat acts as a password
Wireless Encryption Protocol (WEP)Wireless Encryption Protocol (WEP) designed to provide the same level of security as that designed to provide the same level of security as that
of a wired LANof a wired LAN
Media-access control (MAC) address filtering Media-access control (MAC) address filtering unique device identification filteringunique device identification filtering
Wireless Protected Access (WPA)Wireless Protected Access (WPA) interim security upgradeinterim security upgrade
IEEE 802.11IEEE 802.11ii
Supplementary enhancements to 802.11 Supplementary enhancements to 802.11 standardstandard Key caching Key caching Pre-authentication - allows fast roamingPre-authentication - allows fast roaming
802.11802.11ii Security Features Security Features
Encryption based on AES (Advanced Encryption Encryption based on AES (Advanced Encryption Standard) Standard) 128-bit strong key cipher128-bit strong key cipher
Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol (TKIP) Addresses all known vulnerabilitiesAddresses all known vulnerabilities
CBC-MAC cipher algorithm (CCMP)CBC-MAC cipher algorithm (CCMP) header and data integrityheader and data integrity
Change in cipher keys over timeChange in cipher keys over timeEAP (Extensible Authentication Protocol) EAP (Extensible Authentication Protocol) key management, user and device authenticationkey management, user and device authentication
““The Broken”The Broken” Video Video
(5 min’s)(5 min’s)
http://www.thebroken.org/http://www.thebroken.org/
Insecure Insecure WellingtonWellingtonWireless APsWireless APs
IssuesIssues
WEP WEP Algorithm is weakAlgorithm is weak
SSIDsSSIDs Broadcast in clearBroadcast in clear
MACMAC Able to be spoofedAble to be spoofed
WPAWPA Interim standardInterim standard
IssuesIssues
Adhoc NetworkingAdhoc Networking Users can establish peer to peer networks Users can establish peer to peer networks
without controlswithout controls
Advertising your networkAdvertising your network Via poor placement of access pointsVia poor placement of access points High powered devicesHigh powered devices
ThreatsThreats
InterceptionInterception
DoS (Denial of Service)DoS (Denial of Service)
MasqueradingMasquerading
User devicesUser devices
Poor planning and managementPoor planning and management
Not secure by natureNot secure by nature
Open mediumOpen medium Broadcasts and leaksBroadcasts and leaks
Passive techniques Passive techniques
MultipurposeMultipurpose devicesdevices UserUser Security professionalSecurity professional Hacker/CrackerHacker/Cracker
InterceptionInterception
Petone from Mount Victoria - solid Wi-Fi signal detected at some 10kms.
DoS (Denial of Service)DoS (Denial of Service)
Intentional jammingIntentional jamming
Crowded airwavesCrowded airwaves ISM ISM (Industrial, Scientific and Medical application) (Industrial, Scientific and Medical application)
frequency range. frequency range. Bluetooth, 802.11b/g, portable home phones, baby Bluetooth, 802.11b/g, portable home phones, baby
monitors and any more common devices.monitors and any more common devices. Limited number of channels.Limited number of channels.
Unlicensed frequenciesUnlicensed frequencies
Not a lot you can do to stop it Not a lot you can do to stop it
MasqueradingMasqueradingSpoofing Spoofing MACMAC SSIDSSID Stronger signal levelsStronger signal levels Insert an access point .Insert an access point .
Access Point Rogue
User
LegitUser
Poor authentication Poor authentication Device level (link level)Device level (link level) User levelUser level
User devicesUser devicesWhy attack the Access Point if a wireless Why attack the Access Point if a wireless client device itself is open?client device itself is open?
Wireless client devices broadcast in many Wireless client devices broadcast in many directionsdirections
Steal the device and keysSteal the device and keys
Theft of a legitimate device provides Theft of a legitimate device provides ‘legitimate’ access‘legitimate’ access
Standard attacks once in – Trojans, rootkits, Standard attacks once in – Trojans, rootkits, remote control …remote control …
Poor planning and management Poor planning and management No site No site surveys surveys Rogue access pointsRogue access points High power High power signalssignals
Broadcasting more info’ than needed Broadcasting more info’ than needed SSID - useful names or defaultsSSID - useful names or defaults Poor Poor antennaantenna placement placement
No policies or staged implementation …….No policies or staged implementation …….
Real time or my time Real time or my time Most well known hacks are real-time, Most well known hacks are real-time, network-intrusion based;network-intrusion based;
What if I want the information on the What if I want the information on the network - just record it!network - just record it! Time is on my side - take it wayTime is on my side - take it way Peel away each layerPeel away each layer Brute force/crack the dataBrute force/crack the data Wait for Wait for vulnerabilitiesvulnerabilities
Why so many threats?Why so many threats?
Fast-evolving technology, not well Fast-evolving technology, not well understood, not fully matureunderstood, not fully matureGenerally the technology ships Generally the technology ships insecure insecure by default by default Network experts are not automatically Network experts are not automatically wireless expertswireless expertsEasy (‘know nothing’ expertise) to set-upEasy (‘know nothing’ expertise) to set-upSuccessful and secure wireless requires Successful and secure wireless requires careful planning and managementcareful planning and management
If you do nothingIf you do nothing
What to do about itWhat to do about itPoliciesPolicies VPN’s VPN’s Cell SizingCell Sizing Enterprise gatewaysEnterprise gatewaysPlanning Planning Site SurveysSite SurveysLimit broadcasts Limit broadcasts EncryptionEncryptionTraining and certificationTraining and certification SSegment egment Wireless Wireless Careful ManagementCareful Management Change the defaultsChange the defaultsNo ‘ad hoc’ networkingNo ‘ad hoc’ networking Device level fire wallingDevice level fire wallingDevice and user Device and user authenticationauthentication Layer defence Layer defence
mechanisms mechanisms Asset tracking and user trainingAsset tracking and user training Fix DRS (Fix DRS (dynamic rate shiftingdynamic rate shifting))The list goes on ………………………….The list goes on ………………………….
You can secure wireless, but security is by design not default ….
Mitigation StrategiesMitigation Strategies
Employ and enforce policies:Employ and enforce policies:
Use or expand existing IT security policy.Use or expand existing IT security policy.
SIGS, ISO 17799 and Security Notices.SIGS, ISO 17799 and Security Notices.
Ensure only agency-supplied devices are used.Ensure only agency-supplied devices are used.
Complete a comprehensive risk assessment.Complete a comprehensive risk assessment.
Monitor and audit usage.Monitor and audit usage.
Policies and PlanningPolicies and Planning
Policies (cont)Policies (cont)
What can you send over a wireless What can you send over a wireless network?network? Wireless (802.11x) networks can be used to Wireless (802.11x) networks can be used to
transmit and receive information under the transmit and receive information under the following conditions…following conditions…
Policies (cont)Policies (cont)Security Classification Requirements
UNCLASSIFIEDUNCLASSIFIED 128bit WEP or better128bit WEP or better
IN-CONFIDENCEIN-CONFIDENCE WPA or 802.11iWPA or 802.11i
RESTRICTED and RESTRICTED and SENSITIVESENSITIVE
WPA and approved WPA and approved encryption algorithm or encryption algorithm or 802.11i 802.11i
CONFIDENTIAL and upCONFIDENTIAL and up See GCSBSee GCSB
General RecommendationsGeneral Recommendations
Design your network to reduce the amount of Design your network to reduce the amount of external advertising of your networkexternal advertising of your network Complete an indepth site survey, mapping the area to Complete an indepth site survey, mapping the area to
be covered.be covered. Carefully select the locations of access points, the Carefully select the locations of access points, the
power output of devices etc.power output of devices etc.
Manage changes carefullyManage changes carefully When coverage needs to be extended, or new When coverage needs to be extended, or new
devices deployed, consider the implications of how devices deployed, consider the implications of how this may affect the overall network.this may affect the overall network.
General Recommendations (cont.)General Recommendations (cont.)
Secure your access points:Secure your access points: Use or upgrade to Wireless Protected Access Use or upgrade to Wireless Protected Access
(WPA).(WPA). Change Service Set Identifiers (SSID) to Change Service Set Identifiers (SSID) to
something meaningless.something meaningless. Disable Broadcast-Mode.Disable Broadcast-Mode. Enable Media Access Control (MAC).Enable Media Access Control (MAC). Limit times of day connections to prevent ‘out Limit times of day connections to prevent ‘out
of hours’ attacks.of hours’ attacks. Disable Peer-to-Peer.Disable Peer-to-Peer.
General Recommendations (cont.)General Recommendations (cont.)
Secure your information:Secure your information: Use strong encryption and authentication, i.e. Use strong encryption and authentication, i.e.
VPNs.VPNs. Employ firewalls and do not allowEmploy firewalls and do not allow traffic to traffic to
flow directly between the WLAN and the LAN.flow directly between the WLAN and the LAN. Require authentication before traffic passes Require authentication before traffic passes
between the WLAN and the LAN.between the WLAN and the LAN. Set-up Intrusion Detection Set-up Intrusion Detection Users should monitor the W-LAN to ensure Users should monitor the W-LAN to ensure
they connect only to authorised APs and they connect only to authorised APs and networks.networks.
Specific requirements for Specific requirements for UNCLASSIFIED materialUNCLASSIFIED material
Of the encryption types previously Of the encryption types previously discussed, you must only enable 128-bit discussed, you must only enable 128-bit WEP encryptionWEP encryption
WPA is preferred, orWPA is preferred, or
802.11i802.11i
Specific requirements for Specific requirements for IN-CONFIDENCEIN-CONFIDENCE material material
You must employ WPA for access-point You must employ WPA for access-point encryption and ensure your network is encryption and ensure your network is generally secure and well managed. generally secure and well managed.
VPNs should be used, via an approved VPNs should be used, via an approved encryption algorithm, such as 3-DES or encryption algorithm, such as 3-DES or AES, orAES, or
802.11i802.11i
Specific requirements forSpecific requirements forSENSITIVE & RESTRICTEDSENSITIVE & RESTRICTED
materialmaterial
You You mustmust employ the techniques discussed employ the techniques discussed earlier earlier andand employ firewalls and VPNs employ firewalls and VPNs using encryption like AES, orusing encryption like AES, or802.11i802.11i
Specific requirements for Specific requirements for CONFIDENTIALCONFIDENTIAL and up and up
See GCSB for more informationSee GCSB for more information
Approved Products and Approved Products and AlgorithmsAlgorithms
Symmetric encryption algorithms:Symmetric encryption algorithms:
Algorithm Conditions of use
Advanced Encryption Standard (AES)
AES supports key lengths of 128, 196 and 256 bits, all of which are suitable.
Triple DES (3DES)
Triple DES MUST use either:· 2 distinct keys in the order key1, key2, key1.· 3 distinct keys.
Approved Products and Approved Products and Algorithms (cont)Algorithms (cont)
Asymmetric / public key algorithms:Asymmetric / public key algorithms:
Algorithm Approved uses
Diffie-Hellman (DH) Agreeing on encryption session keys.
Digital Signature Algorithm (DSA)
Digital signatures. Note: GCSB’s recommended algorithm for this purpose.
Rivest-Shamir-Adleman (RSA)
Digital signatures.Passing encryption session keys or similar keys.
Approved Products and Approved Products and Algorithms (cont)Algorithms (cont)
Hashing AlgorithmsHashing Algorithms
Algorithm Reference(s)
Message Digest v5 (MD5)
· AS 2805.13.3· RFC 1321
Secure Hashing Algorithm (SHA-1)
· AS 2805.13.3· FIPS 180
Other algorithms and productsOther algorithms and products
To the IN-CONFIDENCE level, if it meets FIPS To the IN-CONFIDENCE level, if it meets FIPS 140-2 and/or is certified to EAL4, then although 140-2 and/or is certified to EAL4, then although the product or algorithm is not specifically the product or algorithm is not specifically approved, it probably does meet the required approved, it probably does meet the required minimum standards for approval.minimum standards for approval.
A more complete list of approved products is A more complete list of approved products is provided by AISEP and can be found at:provided by AISEP and can be found at:
www.dsd.gov.au/infosec/evaluation_services/epl/epl.htmlwww.dsd.gov.au/infosec/evaluation_services/epl/epl.html
SummarySummary
Wireless networking offers many advantages that Wireless networking offers many advantages that makes it highly attractive.makes it highly attractive.There are an increasing array of devices and There are an increasing array of devices and options that can and are being used.options that can and are being used.If we do not manage these devices into our If we do not manage these devices into our networks, they will turn up anyway.networks, they will turn up anyway.Good security policies, and good networking Good security policies, and good networking planning are the basis for security.planning are the basis for security.It is possible to plan, implement and manage a It is possible to plan, implement and manage a secure wireless network.secure wireless network.Security need not be too difficult.Security need not be too difficult.
GuidanceGuidance
Government CommunicationsGovernment Communications
Security BureauSecurity Bureau
Phone: 04 4726881Phone: 04 4726881
Email: Email: [email protected]@gcsb.govt.nz
Web: Web: www.gcsb.govt.nzwww.gcsb.govt.nz