Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Wireless LAN Security: Hacker-proof Your Wireless LAN
Kevin McCaffreyDirector, Mid-Atlantic Region
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Unsecured Wireless Networks can be Devastating!
Wireless Networks Improve Productivity…They Also Open Backdoors, Making Security Investments Obsolete
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense Snapshot
Pioneered Advanced Wireless Intrusion Prevention
15 Patents pending; Deep Differentiated Technology with Best Detection and Protection Against the Most Sophisticated Attacks
One of the Fastest Growing Companies; Absolute Market Leadership - 75%+ Market Share
Selected by over 400 Customers including Market Leaders in all Major Industries and Government
Selected by Industry Leaders e.g. Cisco, IBM, CSC and others
Won Numerous Industry Awards for Innovation and Recommended by Industry Analysts
Focus
Innovation
Leadership
Customers
Partners
Awards
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
0
20
40
60
80
100
2002 2003 2004 2005
Wireless is here to stay…
Survey carried out by Carrie Higbie, The Siemon Company to evaluate how secure business travelers were? Out of 17 cities (24-48 hrs at each location), on her laptop there were:
227 intrusion attempts 321 Spyware loads (many came right
off the main site to sign up for service) 21 attempts to get passwords 3 sent critical info (like credit card info)
via clear textTotal APs & WLAN Device shipments have crossed
the 100 million mark and growing rapidly
Millions of Units
Total APs & WLAN Devices Shipped
•Innocent employee mistakes and human errors make the entire network open and Vulnerable
Rogue devices are almost assured in enterprise air domain•Most threats and attacks go undetected•Liability and corporate compliance issues are just beginning to surface•Policy Enforcement is KEY
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Wireless LAN Risks are Real and Occurring Daily…
"Wireless networks are wide open," says Steve Lewack, director of technology services for Columbus Regional Medical Center in Columbus, Ga.
Identity thieves can lurk at Wi-Fi spots
NEW YORK (CNN/Money) - With more than 20,000 hot spots just in the U.S., it's no wonder everyone has gone
5 Tips: Keeping your Wi-Fi use private
Hackers, Thieves Use Laptops, Other Wi-Fi Devices to Access Corporate Computer Systems
Wireless Mischief Double JeopardyBut falling prey to an evil twin isn't just a problem for personal users. Spencer Parker, a director of
AirDefense’s wireless IDS performs preliminary data analysis and cleaning at the sensor before forwarding
Making Sense of Wireless IPS
LONDON, England -- "Evil twins" are the latest menace to threaten the security of Internet users, experts in the UK are warning.
NEW YORK - If you think that wireless applications have become completely ubiquitous in corporate
How Lehman Brothers Overcame Its Wireless Fears
A Latte with a Side of Identity TheftWhat you need to know before your next visit to your favorite coffee shop?
Wi-Fi Security stories quadrupled since last year
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
What is Driving Evolution of Wireless Security? Drivers
Increased business dependency on Wireless Increasing user base At home and Hotspot use Evolving Standards and newer technologies VOIP One simple issue can expose the whole corporate network
Security issues Recreational hacker -> activist -> organized crime -> industrial espionage Greater proliferation of viruses Increased tooling to exploit vulnerabilities Internal vs. external threats Malicious intent vs. accidental
Secure Wireless & Policy Compliance are keys to Successful Deployment
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Corporate Network
Barcode ScannerParking LotBEACONS
PROBES
PROBES
Accidental Association
Malicious Association
Intruder
Confidential Data
Soft AP
Neighboring WLAN
Rogue Devices signals bleed around physical walls and firewalls
Threats from Wireless Devices
Hardware AP
Wireless Laptop
Ad-Hoc
RogueAccess Point
Hotspot
Evil Twin
Intruders or hackers can launch attacks (DoS, Identity Theft) Associations accidental, malicious; peer-to-peer/ad hoc. VPN & Authentication don’t help Bridging wireless laptops: opens back doors and exposes wired network Wireless Phishing: can hijack users at hotspots (AirSnarf, Hotspotter, Evil Twin)
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Tools & Trends for the Hacker Wannabe
Connected to www.test.com
www.test.com
WiGLE.net
Scanners• NetStumbler and MiniStumbler • Kismet • THC-WarDrive • PrismStumbler• MacStumbler• Mognet• Wellenreiter • WaveStumbler• Stumbverter • AP Scanner • SSID Sniff• Wavemon • Wireless Security Auditor• AirTraf
Sniffers• AiroPeek• NAI Wireless Sniffer• Etherea• VPNmonitorl
Bootable CDRom• WarLinux• Knopix• LSAKnopix
Exploit Tools• Pong “GSTsearch”• Ittra
Denial of Service• Hunter_Killer• VOID• FATAjack• Micheal
Multi-use Tools• AirJack• THC-RUT • Ettercap
WEP Tools WEPCrack AirSnort Wepwegie
Soft AP’s HostAP CqureAP DiskAP Coyete
Other Tools Fake AP MonkeyJack Airsnarff WINPCAP
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Evolving Trends: A Race Against New Vulnerabilities
Reconnaissance
Sniffing
Masquerading
Insertion,Injection
DoS Attacks
Detect WLANsNetstumbler, Kismet
Capture TrafficNetwork Protocols, dataCredentialsEthereal, Cain
Stealth IntrusionMac SpoofingWEPwedgieMan-in-the-middleAirSnarfEvil Twin
Network ManipulationARPwinARPoisoning
DisruptionAirJack, Hunter-Killer
Sophistication of Tools
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Device Impersonation – Access Points3 simple steps
3. Connect AP into Network
Valid InternalMAC: 00 02 2D 50 D1 4E
ORIGINAL MAC: 00 12 2D 50 43 1E NEW MAC: 00 02 2D 50 D1 4E
2 3
1
Rogue AP
Implications:• Wired-side AP discovery can be fooled• Monitor your air waves
2. Copy valid user MAC to AP
1. Determine User Station MAC address & unplug the station
User Station
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Monitor for Soft APs
Bootable Floppy diskhttp://ap.cqure.net/ , http://www.coyotelinux.com/
Freeware: HostAPhttp://hostap.epitest.fi/
RPM install for 8.0 and 9.0 of Redhathttp://www.cat.pdx.edu/~baera/redhat_hostap/
No special firmware required for the wireless LAN card Supports normal laptop in Infrastructure and Ad hoc Soft APs come and go
Soft AP: Make any Laptop an AP
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Now Coming to a Windows LAPTOP Near YOU!
http://www.pctel.com/prodSegSam.html
http://www.quetec.net
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
WLAN Denial of Service Attacks
Against a AP: Keeps all traffic from communicating with the rest of the network Against a Station: Keeps the Station from Communicating with any device. Broadcast: All network devices including some Internal networks shutdown
DoS a Station with WLAN-Jack
Target (User) AP
Attacker
1
2ORIGINAL MAC: 00 12 2D 50 43 1E
NEW MAC: 00 02 2D 50 D1 4E
MAC: 00 02 2D 50 D1 4E
3
3. Send Disassoc & Deauth frames
2. Impersonate AP by spoofing the MAC
1. User enjoying good connection
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Man-in-the-Middle AttackWLAN Jack & Air-Jack tools
First Step: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames
Second Step: Attacker re-associates target to Malicious station and connects to AP
TargetServerAP
Dual-Card Attacker
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Ad-hoc networks – Peer to PeerNo Access Point Needed
Monitor for ad hoc networks
Native supportIn XP
Client software inOther Windows OS
Laptops can be put in ad hoc mode remotely (virus, Trojan horse)
Scanners not effective for detecting ad hoc – they come and go
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
What is my Laptop Doing?Associating? Forming ad hoc network?
List of Access Points (SSIDs) to which it has connected
XP stations send probes looking for SSIDs they have connected with in the past
Monitoring can tell you probing or unassociated PCs
Monitoring can tell you probing or unassociated PCs
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Wireless LANs: End-to-End Security
Layered Approach to Security
Wireless Monitoring & IPS System
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Handheld Scanners
What it does: Manually Used to Troubleshoot Issues in Specific Areas Used for War driving & periodic site surveys
Pros: Inexpensive tool; expensive
labor and risks
Cons: Single Snapshot in time: ONLY sees what is
present at time of survey Uncorrelated Information Not cost effective
Need Personnel resources per site Not scalable for large organizations
Distributed enterprises become difficult to monitor with regularity
Lacks central manageability and operations Reporting and analysis is manual ONLY sees what is present at time of survey
“Current radio frequency scanning tools such as Sniffer and AirMagnet are limited in their ability to perform scalable and repeatable audits.”META Group, September 2002
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Purpose-built Monitoring & IDS/IPS
What it does: Enterprise-Wide 24x7 Full-Time Monitoring and Reporting
Pros: Comprehensive Enterprise View for APs and all
WLAN devices Highest security level Most detailed reporting Enhanced operational support
Cons: Requires additional
infrastructure
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Expert Opinion on Wireless Monitoring
Incorrectly set-up WLANs put the wired LAN as risk as well”
“Unmanaged WLANs can jeopardize entire enterprise network, data and
operations”
“New sophisticated security risks continue to emerge as wireless matures”
“Through 2006, 70 % of successful WLAN attacks will be because of the
misconfiguration of APs or client software.”
“Wireless devices create backdoors for hackers and can render firewalls, IDS and
VPNs useless.”
WLAN security monitoring is necessary to keep your enterprise secure
“The signature, correlation and behavior analysis that AirDefense brings to the table
is best in class ”
“Best all around wireless IDS solution
in our lab tests”
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Corporate Network
Barcode ScannerParking Lot
Intruder
Confidential Data
Soft AP
Neighboring WLAN
Proactively Prevents Exploitation of Wireless Network Prevents authorized stations from attaching to unauthorized devices Prevents unauthorized devices to attach to the network Surgically identifies and removes threatening rogues Extends wireless protection to the mobile worker
WLAN Monitoring/IPS: Secures from Threats
Hardware AP
Wireless Laptop
RogueAccess Point
Hotspot
Evil TwinSecure Secure
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Key Requirements for a Manageable Wireless IPS
Discover Analyze Correct
There is an AP nearby
It is on my network
Disconnect it from my network
Flood of disconnect frames
It is affecting three stations
Have the network ignore requests
temporarily
Abnormal activity found
User appears to be in two places at once
Disconnect anomalous user
User drawn into Access Point
Spoofed AP downloading user data
Disconnect station; locate spoofed AP
Find It Figure It Out Fix It
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Evolution of WLAN Monitoring Solutions
Capture + Basic Detection
Multi-engine Detection
Enterprise Policy Manager
Relationships & Behavior of WLAN Devices
Correlation Technologies
Forensics & Historical Analysis
Pro-activeEnforcement
1
2
3
4
5
6
7
Comprehensive systems must perform advanced/actionable analysis and
detection.
Advanced WLAN monitoring solution is not just about capturing RF traffic…
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Technology for Accurate Detection of Threats & Attacks
Correlation Across Sensors
Stateful Analysis
Stat
istic
al B
ase-
linin
g a
nd A
ggre
gatio
n
AnomalousBehavior
ProtocolAbuse
SignatureAnalysis
PolicyManager
Cor
rela
tion
Goal: Detect all known and day zero threat and attacks reliablyChallenge: It is a race with hackers. New threats are evolving rapidly
ACCURATE ALARMS
ThreatIndex
Multiple Detection Technologies are required for accurate & comprehensive detection
Many threats require correlation across sensors
(certain identity theft)
Day Zero attacks require anomalous behavior analysis
Correlation across multiple detection engines reduces false positives
Third Party infrastructure e.g. Cisco
Focus on threat index by location or sensor rather than individual alarms
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Policy Enforcement & Compliance
Adopt security policies and procedures to address the security weaknesses of the wireless environment
DODDHS
SOX HIPAAGLBAFDIC OCC
AirDefense Enables Compliance with
Monitor for Compliance• Compliance with
Corporate, regulatory requirements?
• Network performing correctly?
Monitor for ComplianceMonitor for Compliance
Enforce• Turn off SSID broadcast• Change channel of AP• Terminate
Enforce
Define Policy• Security• Configuration; VLANs• Performance• Vendor / Channel
Define Policy
Closed Loop Compliance
Monitor
Enforce
DefineDefine
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Secured Area
Misconceptions of Security
Don’t get caught with a false sense of security. Monitor your air domain for threats and policy compliance.
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Summary: Wireless LAN can be Secured1. WLAN Risks are Significant Due to
Shared Broadcast Media2. Every Organization has WLANs (rogue and/or sanctioned)
Check out wigle.net3. Probing Laptops are Serious & Often Ignored Threat
Employee use of wireless at home is pervasive 4. WLAN Policy Enforcement is Required
Define > Monitor > Enforce5. When deploying, use layered security approach
Encryption > Authentication > 24 X 7 RF Monitoring 6. Have Control over your Air Domain
Assets > Relationships > Behavior