Wireless LAN Deployment Best Practices

Wireless LAN Deployment Best Practices

Michael Boman

IT Security Researcher & Developer

http://proxy.11a.nu | [email protected]

What We Will Cover

• Wireless Concepts

• Security Issues with Wireless Networks

• Attacks against Wireless Networks

• Countermeasures

• Q & A

Wireless Basics

• 802.11 - “WiFi” networks are typically implemented as either a standalone network solution, or to extend the capabilities of an existing wired network.

• The most common wireless configurations found today are:– Ad Hoc– Infrastructure modes

Terminology

• Frame – data transmitted by the physical medium

• Access point – a device attached to wired network providing wireless access to users

• Service set – a series of access points working in conjunction to provide access

• SSID – string identifying a service set

• BSSID – MAC address of AP in question

The different 802.11 Standards

• 802.11b – Operating in the 2.4 GHz band– Maximum theoretical data rate of 11 Mbps– In a typical office environment, its maximum

range is 75 meters at the lowest speed, but at higher speed its range is about 30 meters.


• 802.11a – Operating in the 5 GHz band– Maximum theoretical data rate of 54 Mbps– In a typical office environment, its maximum

range is 50 meters at the lowest speed, but at higher speed, the range is less than 25 meters.


• 802.11g – Operating in the 2.4 GHz band– Maximum theoretical data rate of 54 Mbps– Backward compatibility with 802.11b

• 802.11i– Supplemental draft standard is intended to

improve WLAN security.– Describes the encrypted transmission of data

between systems of 802.11a and 802.11b WLANs.

– Defines new encryption key protocols including the Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES).



• 802.1X – IEEE standard for access control for wireless

and wired LANs, 802.1X provides a means of authenticating and authorizing devices to attach to a LAN port.

– This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network.

Concepts of the 802.11 MAC layer

• Three types of frames– Management

• Access control: authentication, association• Media detection: beaconing, probing

– Data• Transmit higher layer data to or from access point

– Control• Acknowledge receipt of data frames• Reserve media for long frame exchanges

Concepts of the 802.11 MAC layer

• Client authenticates to a service set– Before access, not throughout– Shared secret key or no key

• Client associates to an access point

• Clients disassociate with an AP, re-associate with another as they move

Ad Hoc Networks

• Also referred to as “Independent Basic Service Set” (IBSS)

• Provides peer-to-peer communication links between two or more wireless devices without the use of an AP

• This is the default setting on most wireless cards

Ad Hoc mode or IBSS configuration

CELL

Wireless Laptop Computers

Infrastructure Networks

– Also known as “Basic Service Set” (BSS)– Requires an Access Point and at least one

wireless client– Connections are initiated with the proper

Service Set Identifier (SSID) - Shared secret manually entered on the AP and each client (Not scalable)

– Sometimes Wired Equivalent Privacy (WEP) encryption keys are also configured (Used about 30% of the time)

Infrastructure mode or BSS configuration

InternalLAN

InternalLAN

Wireless Access Point

Wireless Laptop Computer

Wireless Laptop Computer

Security Issues

Antenna Signal

• Walls and doors do not provide sufficient containment of the wireless signal. An Access Point (AP) placed inside a typical office can transmit a signal anywhere up to 300 meters. – 100 meters in any direction will usually put you on a

road, in a neighboring office or parking lot.– Vertical threats such as offices above and below

should also be taken into consideration when selecting your AP’s location.

– Hackers will War-Drive at lunch looking for AP’s used in conference rooms.

Antenna Signal

• An attacker can compensate your weak signal by using a directional antenna and/or amplifier

• At DefCon 13 earlier this month, a group of enthusiasts was able to set up an un-amplified 802.11 network at a distance of 201 km.

802.11 Design Flaws

• MGMT, CTRL frames not encrypted– Can be spoofed w/o knowledge of WEP key

• Weak authentication of station– Easy to get access to wireless medium

• No authentication of AP to station– Can prove an AP is legitimate

• Limited # of stations can use a single AP– We can overflow an AP to prevent wireless

access

SSID

• Some believe that by using a complicated SSID an unauthorized user will have difficulty in gaining access to their AP.– SSID’s are passed in the clear, even when

WEP is enabled.– It is a trivial matter to download free software

off the Internet that is designed to intercept SSID’s from a wireless communication session.

SSID

SSID

Access Control

• Access Control at the MAC (Media Access Control)

• Most administrators feel that MAC layer filtering provides adequate security by allowing clients with non-restricted MAC addresses to connect to the wireless network.

• MAC addresses are passed in the clear• MAC addresses can easily be changed

Wired Equivalent Privacy (WEP)

• Should be “What on Earth does this Protect”

• Provides encryption to data frames only

• Probably fine on small, limited use networks

• Don’t depend on it for data security

• WEP gives administrators a false sense of security.

Wired Equivalent Privacy (WEP)

• Even when WEP is properly configured and deployed on a wireless network, it is still a trivial matter to break the encryption and gain access to the AP.– WEP keys are static and configured manually

(Not a scaleable solution)– WEP requires the same secret key be shared

by all wireless users within the cell– Free software on the Internet is available that

is used to crack the encryption

Wi-Fi Protected Access (WPA)

• The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 wireless LANs.

• WPA is an pre-standard version of 802.11i utilizing the Temporal Key Integrity Protocol (TKIP), which fixes the problems of WEP (including using dynamic keys).

• WPA will serve until the 802.11i standard is ratified.

Extensible Authentication Protocol (EAP)

• EAP is an 802.1X standard that allows developers to pass security authentication data between RADIUS and the access point (AP) and wireless client.

• EAP has a number of variants, including: – EAP MD5– EAP-Tunneled TLS (EAP-TTLS)– Lightweight EAP (LEAP)– Protected EAP (PEAP).

User Network Access Controls

• One area that is commonly overlooked is the ability to regulate internal network access.– Most users have varying levels of access to

internal resources.– All wireless users could potentially be entering

the network by the same wireless AP.

Business Risks of Wireless LANs

• A wireless attacker could affect you business in the following ways:– Ability to destroy data– Ability to steal proprietary data from client

workstations and servers– Disruption of network service through corruption of

network devices

• RISK: Inability to meet core business and customer needs that could lead to loss of revenue

Security Risks INTRODUCED by Wireless Technology

• Rogue Access Points

• Clients Communicating in Ad Hoc Mode

Computerworld survey estimate at least 30 percent of businesses have rogue wireless LANs.

Rogue Device Threat

Can make your network vulnerable…• Even with a secure wireless network• Even if you have no wireless network• Both Access Points and Clients are

dangerous

Goal• Protect network jacks• Identify unauthorized wireless devices

• Placing an AP on the inside of your network will extend its access past any physical barriers or controls. – AP are small and only take a few minutes to

connect to your internal network – The level of sophistication needed to install an

AP is low

Rogue Access Points

Denial of Service

• A user with malicious intent could configure a client to bombard the AP with thousands of connection requests eventually leading to the complete shutdown of the targeted AP.

• RF noise generation – Arc Welder – homemade jamming device

• Eventual saturation of RF devices – Bluetooth, 802.11b and g devices, etc.

Security Risks of Wireless LANs

• Easier for unauthorized devices to attach to wireless network– Don’t need physical access– Many organizations don’t apply security– Presence of free wireless hacking tools

• Internal systems are usually not as secure as external or DMZ systems

Wireless is insecure by its very nature

The point?

Tools of the Trade

Hardware

Wireless Card and Antenna

Hardware

War-Driving Rig – Laptop, wireless card and Antenna

Software

• Types of Monitoring tools– Stumbling– Sniffing– Handheld

• Hacking tools– WEP Cracking– ARP Spoofing

Stumbling Tools

Stumbling tools identify the presence of wireless networks. They look for beacons from access points, and also broadcast client probes and wait for access points to respond.

Sniffing Tools

Sniffing tools capture the traffic from a wireless network and can view the data passed across the air.

Handheld Tools

Handheld tools are more portable and provide wireless network identification and network status monitoring.

Hacking Tools

Hacking tools are for pointed attacks to gain access to secured wireless networks.

Attacks against Wireless Networks

Leeching access

• Easy to do– Laptop and wireless card– Scanning tools help, but not required

• Hard to track down– Who wants / can afford to triangulate a signal?

• Biggest security implication– Joe Kiddie (not Osama) can run scans & exploit hosts– Won’t get traced back to daddy’s cable modem

• But admins can “cripple” wireless segment– Rate limiting– Filter naughty packets

Wireless Auto Configuration Algorithm

• First, Client builds list of available networks– Send broadcast Probe Request on each

channel


• Access Points within range respond with Probe Responses


• If Probe Responses are received for networks in preferred networks list:– Connect to them in preferred networks list order

• Otherwise, if no available networks match preferred networks:– Specific Probe Requests are sent for each preferred network in case

networks are “hidden”


• If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node– Use self-assigned IP address (169.X.Y.Z)


• Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected

• Otherwise, wait for user to select a network– Continue scanning for networks

Attacking Wireless Auto Configuration

• Attacker spoofs disassociation frame to victim• Client sends broadcast and specific Probe

Requests again– Attacker discovers networks in Preferred Networks list

(e.g. linksys, MegaCorp, t-mobile)


• Attacker creates a rogue access point with SSID MegaCorp


• Victim associates to attacker’s fake network– Even if preferred network was WEP (XP SP 0)

• Attacker can supply DHCP, DNS, …, servers

Wireless Auto Configuration Attacks

• Join ad-hoc network created by target• Sniff network to discover self-assigned IP (169.X.Y.Z) and attack

• Create a more Preferred Network• Spoof disassociation frames to cause clients to restart scanning

process• Sniff Probe Requests to discover Preferred Networks• Create a network with SSID from Probe Request

• Create a stronger signal for currently associated network• While associated to a network, clients sent Probe Requests for

same network to look for stronger signal

You can be 0wned (=compromised) while watchinga DVD on a plane!

A Tool to Automate the Attack

• Track clients by MAC address– Identify state: scanning/associated– Record preferred networks by capturing Probe

Requests– Display signal strength of packets from client

• Target specific clients and create a network they will automatically associate to

• Compromise client and let them rejoin original network– Connect back out over Internet to attacker– Launch worm inside corporate network– Etc.

Creating An ALL SSIDs Network

• Can we attack multiple clients at once?• Want a network that responds to Probe

Requests for any SSID• PrismII HostAP mode handles Probe Requests

in firmware, doesn’t pass them to driver• Atheros has no firmware, and HAL has been

reverse engineered for a fully open-source “firmware” capable of Monitor mode, Host AP

Creating a FishNet

• Want a network where we can observe clients in a “fishbowl” environment

• Once victims associate to wireless network, will acquire a DHCP address

• We run our own DHCP server– We are also the DNS server and router

FishNet Services

• When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action

• Our custom DNS server replies with our IP address for every query

• We also run “trap” web, mail, chat services– Fingerprint client software versions– Steal credentials– Exploit client-side application vulnerabilities

Client-Side Application Vulnerabilities

• Recent client-side vulnerabilities– Vulnerability in Plug and Play Could Allow Remote

Code Execution and Elevation of Privilege– Vulnerability in JView Profiler Could Allow Remote

Code Execution– Vulnerability in Microsoft Color Management Module

Could Allow Remote Code Execution– Vulnerability in Server Message Block Could Allow

Remote Code Execution– …

• Exploits can make use of fingerprinting info

Beating access control

• MAC address spoofing– Sniff or brute force legitimate MAC addresses– Return and use those addresses later

• Crack WEP key w/ known tools (hours, days)– Or just find one among the multitude of

available APs without WEP…

Denial of service

• Forge disassociations– Deny an individual station access– Used also to hijack sessions

• Forge lots of associations– Saturate an access point– Access point will stop accepting associations

• Forge lots of beacon frames– Creates illusion of access points that don’t exist– Can also throw off a war driver seeking access

Session hijacking

• Disassociate client

• Take over any desired existing network sessions

• New venue for known transport session hijacking

Man in the middle

• Impersonate an access point

• Tamper with data

• Pass on to legitimate access point

• Implemented SSH, SSL and other MITM also have new venue on 802.11

Home Users

Wireless Access Point

Hack-me

Hack-me

Corporate Networks

Wireless Access PointWireless Hacker Switch

Accounting Payroll

Corporate Networks

Wireless Access PointWireless Hacker Switch

Accounting Payroll

ARP Cache Attacks can also be launched against:

• Wireless Clients connected to the AP

• Wireless Clients and Wired Clients

• Wireless Home Users (Couch Networks)

• And may other combinations

Corporate Networks

Telecommuters

Internet

Employee

Attacker

Countermeasures

SEC- -Y

If not you, who? If not now, when?

The key to security awareness is embedded in the word security…

Countermeasures

• Holistic Approach– Prevention– Identification– Response

Prevention

• Create a completely separate wireless security policy

• Do a complete Site Survey before placement of AP’s

• Wireless networks should always be treated as un-trusted and never placed behind corporate firewalls

• Use MAC layer filtering • Be sure to change the SSID from the default

value and disable broadcasting if possible

Prevention

• Use encryption, even WEP - (Low hanging fruit theory)

• Static IP’s vs DHCP• Use third party software for additional security –

Authentication, VPN encryption• Use personal Firewall software on and anti-

malware your wireless clients systems• Install the latest security patches and firmware

updates on you wireless equipment

Prevention

• Do regular audits of deployed wireless equipment

• Perform regular sweeps for un-authorized wireless equipment

• Perform regular Penetration Tests against your whole infrastructure, including the wireless segments (alternative: concentrate on perimeter and wireless segments)

Identification

• Deploy Wireless IDS sensors • Identify your signal range – clients with

antennas can pick up you signal further away than without one

• Periodically scan your facility for rouge access points using the same software attackers are using

• Check your internal logs for strange anomalies concerning MAC addresses

Response

• Have an adequate response plan in place to deal with malicious activity

• Have the ability to log activity of a malicious user to aid in prosecution

• Have the ability to control and reconfigure your Access Points on the fly

Countermeasures - Antenna Signal

• Proper selection of Antenna – Parabolic, etc. • Attenuate the signal by reducing transmitter

power if possible• Ground interior walls (If metal construction)• Thermally Insulate exterior glass using metallic

window treatments• Smart positioning of AP’s• Lining closets housing the AP with aluminum foil • Use of metallic paints – Extreme

Countermeasures - SSID

• Turn off SSID broadcasting at the AP if possible (Not all AP vendors allow this)

• Understand that SSID’s provide “Zero” security

• Avoid using a SSID that gives away information about your network. (“TaxNet1” or “Kennedy:Mailroom”)

Countermeasures - MAC ACL

• Do not depend on MAC layer filtering as your only security solution for providing secure AP access

• Use Intrusion Detection Servers (IDS) to alert you when an excessive number of unsolicited ARP replies are detected on the network

• Use the tool “arpwatch” - This tool will provide E-mail notification when IP to MAC bindings change.

Countermeasures - WEP

• Proprietary solutions offered by certain vendors are all incorporating dynamic key management into their products. (Cisco, Enterasys, AVAYA, etc.) Be careful not to commit yourself to a single vendor specific solution.

• Use IPSec VPN software• EAP/802.1X Extensible Authentication Protocol

(EAP) to provide centralized authentication – (RADIUS, etc.) and dynamic key distribution

Countermeasures - User Access Control

• Use multiple AP’s to access different segments of the network each with a unique SSID’s.

• Use a third party VPN solution to connect the users to the appropriate network segment. – This solution can be used through a single AP

for all users. Each user would be routed internally to the appropriate VPN endpoint within the corporate network.

Countermeasures - Access Point (AP)

• Update your corporate policy to prohibit the installation an AP without the approval of internal security or the IT department

• Always place AP’s outside a firewall, inside a DMZ, or within a sandbox network.

• Disable unused ports on the internal switches until needed (especially in conference rooms)

• Monitor any new MAC address’s on the internal network that are discovered – “ArpWatch”

Countermeasures - DOS

• Shield the perimeter of your building

• This will help in two ways:– Help contain your wireless signal within a

defined perimeter– Reduce the risk of outside RF interference

Wireless can be Secure

• Apply all security features of products• Require Authentication and Authorization and

Encryption• Use the same well known network security

solutions as wired networks including:– Network segmentation – Use of personal firewalls– Well defined, trainable, and enforceable security

policy

• Perform Wireless Security Monitoring

Putting it all together

Wireless Access PointWireless Laptop Computer Firewall

VPN GatewayAuthenticationServer

IDS

InternalLAN

InternalLAN

WIDS

WIDS

With personal Firewall &VPN Software

WEP

MAC Filtering

Unique SSID (If Broadcasting is

not disabled)

IP Protocol 50,51

UDP port 500

Questions?