1 / 33

Securing the Wireless LAN

Securing the Wireless LAN. George Ou Network Systems Architect Contributing editor – ZDNet. Contents. Introduction Relative risks of Wireless LANs Six dumbest ways to secure a WLAN Tools of the wireless LAN hacker The best ways to secure the WLAN SOHO WLAN implementations

Olivia
Download Presentation

Securing the Wireless LAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Wireless LAN George Ou Network Systems Architect Contributing editor – ZDNet

  2. Contents • Introduction • Relative risks of Wireless LANs • Six dumbest ways to secure a WLAN • Tools of the wireless LAN hacker • The best ways to secure the WLAN • SOHO WLAN implementations • Enterprise WLAN implementations

  3. Introduction • Wireless security is a huge headache in IT • Wireless security widely misunderstood • Wireless security is everyone’s problem even if you don’t “think” you have a WLAN • Banning WLANs often result in “improvised” home grown solutions • Wireless LANs can be secured • Wireless security applicable elsewhere in IT

  4. Relative risks of Wireless LANs • Wireless security is NOT an oxymoron • Less dangerous than having an Internet connection direct or indirect • Attacks from the Internet can come from anywhere on the entire globe • Web/FTP/Mail/DNS Servers • Back doors R00TK1T5 that can dial home • Attacks on Wireless LANs are limited to a couple of kilometers

  5. Six dumbest ways to secure a WLANOverview • MAC “authentication” • SSID “hiding” • LEAP authentication • Disabling DHCP • Antenna placement and signal suppression • Switch to 802.11a or Bluetooth Wireless LANs ______________________________________ • Dishonorable mention: WEP Original article on http://blogs.zdnet.com/Ou

  6. Six dumbest ways to secure a WLANMAC “authentication” • Use of the word “authentication” is laughable • All that’s happening is MAC address filtering • MAC addresses are transmitted in clear text • Extremely easy to capture • Extremely easy to clone and defeat • Extremely difficult to manage MAC filtering

  7. Six dumbest ways to secure a WLANMAC spoofing

  8. Six dumbest ways to secure a WLANSSID “hiding” • No such thing as “hiding” an SSID • All that’s happening is Access Point beacon suppression • Four other SSID broadcasts not suppressed • Probe requests • Probe responses • Association requests • Re-association requests • SSIDs must be transmitted in clear text or else 802.11 cannot function

  9. Six dumbest ways to secure a WLANLEAP authentication • Cisco LEAP authentication is extremely weak • LEAP successor EAP-FAST not much better • Cisco dominates Enterprise WLAN market • Significant percentage of Cisco shops use LEAP but have started to migrate to EAP-TLS • LEAP and EAP-FAST are free on client side • Only Cisco can sell LEAP and EAP-FAST on Access Points • Cisco APs support all open authentication standards like EAP-TLS and PEAP

  10. Six dumbest ways to secure a WLANDisabling DHCP • Disabling DHCP and forcing the use of Static IP addresses is another common myth • IP schemes are easy to figure out since the IP addresses are sent over the air in clear text • Takes less than a minute to figure out an IP scheme and statically enter an IP address

  11. Six dumbest ways to secure a WLANAntenna placement and signal suppression • Antenna placement and signal suppression does nothing to encrypt data • The hacker’s antenna is bigger than your’s • Directional high-gain antennas can pick up a weak signal from several kilometers away • Lowering the signal hurts legitimate users a lot more than it hurts the hackers • Wi-Fi paint or wall paper not 100% leak proof and very expensive to implement

  12. Six dumbest ways to secure a WLANSwitch to 802.11a or Bluetooth wireless LANs • 802.11a is a transport mechanism similar to 802.11b or 802.11g • 802.11a has nothing to do with security • Pray that the hacker doesn’t have 5 GHz 802.11a capable equipment • Bluetooth is more of a wireless USB alternative • Can be used for wireless networking but not designed as an 802.11 a or b/g replacement

  13. Six dumbest ways to secure a WLANDishonorable mention: WEP • WEP barely missed the six dumbest list because it can still hold up for a couple of minutes • Hacker named “KoreK” releases new WEP analysis tool in August 2004 • WEP coupled with 802.1x and EAP key rotation (AKA DWEP) is considered broken • Packet injection techniques lowers WEP cracking times to minutes Article: Next generation WEP cracking tools

  14. Tools of the wireless LAN hackerOverview • Software • Auditor CD • Kismet • ASLEAP • Void11, Aireplay, Airedump, and Aircrack • Hardware • Cheap and compatible cardbus adapters • Omni directional high-gain antennas • Directional high-gain antennas • Off the shelf Laptop computer

  15. Tools of the wireless LAN hackerAuditor CD • Bootable Linux CD with every security auditing tool under the sun • Everything needed to penetrate most wireless LAN and more • Mentioned as a favorite of the FBI • Relatively easy to use

  16. Tools of the wireless LAN hackerKismet • Kismet is a Linux wireless LAN audit tool • Can see “hidden” SSIDs • Can see MAC addresses • Can see IP schemes • Can capture raw packet • GUI version lays everything out

  17. Tools of the wireless LAN hackerASLEAP • ASLEAP cracks Cisco LEAP authentication • Exploits weak MSCHAPv2 authentication • Uses pre-computed indexed hash tables • Checks 45 million passwords a second • Upgraded to support PPTP VPN cracking

  18. Tools of the wireless LAN hackerVoid11, Aireplay, Airedump, and Aircrack • New set of tools makes WEP cracking hundreds of times faster • Void11 forces users to re-authenticate • Aireplay monitors re-auth session for ARP and then plays back the ARP request to trigger responses from legitimate computers • Airedump captures all of the raw packets • Aircrack only needs 200,000 packets instead of 10,000,000 packets from previous tools

  19. Tools of the wireless LAN hackerHardware: Cheap and compatible cardbus adapters • Prism 2/3 based 802.11b adapters • PrismGT based 802.11 b/g adapters • Atheros based 802.11 a/b/g adapters • All typically around $40 to $70 USD • All compatible with Linux cracking tools

  20. Tools of the wireless LAN hackerOmni directional high-gain antennas • Typically 7 to 9 dB gain • General purpose surveying and war driving • Can be used to create evil twin access point • Less than $100 USD

  21. Tools of the wireless LAN hackerDirectional high-gain antennas • Used to aim and focus in on victim • Picks up weak signals many kilometers away • Around $100 USD

  22. Tools of the wireless LAN hackerOff the shelf Laptops • Any Laptop or PC can be used for hacking • New Laptops with good cracking speed are as low as $400 USD • Wireless hacking is NOT cost prohibitive!

  23. The best ways to secure the WLANOverview • Good cryptography allows secure communications over unsecured medium • Follow best practice cryptographic principles • Strong authentication • Strong encryption • WPA and WPA2 standards

  24. The best ways to secure the WLANStrong authentication background • Strong authentication is often overlooked • Well established secure authentication methods all use SSL or TLS tunnels • TLS is the successor of SSL • SSL has been used for nearly a decade in E-Commerce • SSL or TLS requires Digital Certificates • Digital Certificates usually involves some form of PKI and Certificate management

  25. The best ways to secure the WLANStrong authentication in Wireless LANs • Wireless LANs typically use 802.1x and EAP • Common standard EAP types are EAP-TLS, EAP-TTLS and PEAP • LEAP and EAP-FAST are not standard • EAP-TLS requires server and client certificates • EAP-TTLS and PEAP only require client-side certificates • EAP-TTLS created by Funk and Certicom • PEAP created by Microsoft, Cisco and RSA Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67

  26. The best ways to secure the WLANStrong authentication and RADIUS servers • EAP authentication requires RADIUS support in Access Point and one or more RADIUS servers • Microsoft Windows 2003 Server has fully functional RADIUS component called IAS • Supports EAP-TLS and PEAP • Windows 2000 only supports EAP-TLS • Easily integrates in to NT domains or Active Directory • Funk software makes Steelbelted and Odyssey • Open source FreeRadius supports broad range of EAP types

  27. The best ways to secure the WLANStrong encryption • Encryption is well understood • No known methods of breaking good encryption • DES encryption has never been crypto-analyzed in nearly 30 years and must be brute forced • 3DES still considered solid but slow • AES is the official successor to DES and is solid at 128, 192, or 256 bits

  28. The best ways to secure the WLANStrong encryption in Wireless LANs • RC4 encryption is known to be weak • WEP uses a form of RC4 encryption • Dynamic WEP makes WEP cracking harder • TKIP is a rewritten WEP algorithm • No known methods against TKIP yet but some theoretical attacks are on the horizon • AES encryption mandated in the newest Wireless LAN standards is rock solid

  29. The best ways to secure the WLANWPA and WPA2 standards • WPA used a trimmed down version of 802.11i • WPA2 uses the ratified 802.11i standard • WPA and WPA2 certified EAP types • EAP-TLS (first certified EAP type) • EAP-TTLS • PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP) • PEAPv1/EAP-GTC • EAP-SIM • WPA requires TKIP capability with AES optional • WPA2 requires both TKIP and AES capability Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67

  30. SOHO WLAN implementations • Minimum encryption should be TKIP • Run AES encryption if possible • EAP authentication usually not feasible for Small offices and home offices • SOHO WLANs usually rely on WPA-PSK • PSK (pre-shared keys) are easier than WEP with 26 HEX digits • PSK must be at least 8 alphanumeric random characters • Zyxel offers Access Points with PEAP RADIUS built-in

  31. Enterprise WLAN implementationsWPA and WPA2 standards • Minimum encryption should be TKIP • Run AES encryption if possible • EAP-TLS authentication recommended • PEAP or EAP-TTLS authentication at a minimum

  32. Enterprise WLAN implementationsWireless Switches • Wireless LAN switches manage large numbers of Access Points • Much easier to manage • Wireless switch makers • Symbol • Cisco Airespace • Aruba

  33. Enterprise WLAN implementationsAdvanced security implementations • Multiple Virtual SSID and VLAN support • VLAN assignment based on group membership • Guest Wireless LANs that are isolated • Mitigating WEP security risks for WEP only devices using Firewall or Router ACLs (Access Control Lists) • Can be done with single device such as the Cisco 851W which is a Firewall, Router, Managed Switch, and Access Point all-in-one

More Related