1.06k likes | 1.25k Views
Wireless Update. Chris Gohlke, CPA Lead Senior Auditor Florida Auditor General IT Audits Division chrisgohlke@aud.state.fl.us. Outline . Wi-Fi (802.11) RFID Bluetooth
E N D
Wireless Update Chris Gohlke, CPA Lead Senior Auditor Florida Auditor General IT Audits Division chrisgohlke@aud.state.fl.us
Outline • Wi-Fi (802.11) • RFID • Bluetooth The purpose of this class is to serve as a high-level overview. I’ve included a lot of extra information in these slides that won’t be covered in class.
What is Wi-Fi? • Wi-Fi (sometimes written Wi-fi, WiFi, Wifi, wifi) is a trademark for sets of product compatibility standards for wireless local area networks (WLANs). Wi-Fi, short for "Wireless Fidelity", was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) to connect to local area networks, but is now often used for Internet access and wireless VoIP phones. Desktop computers can use Wi-Fi too, allowing offices and homes to be networked without expensive wiring. Many computers are sold today with Wi-Fi built-in, others require adding a Wi-Fi network card. Other devices, such as digital cameras, are sometimes equipped with Wi-Fi. • Short Version – Wi-Fi gets rid of the Network Cable
Why Wi-fi? • Governments are deploying wireless LANs for cost and operational benefits such as allowing for a more mobile workforce. • Educational entities are deploying wireless LANs for cost, operational, and marketing benefits.
However, the Biggest Driver of Wireless Adoption is ---The explosion of devices which is creating a demand and expectation of wireless.
Infrastructure vs. Ad Hoc • Infrastructure • Access Point(s) in Network • Ad hoc • No Access Point(s) in Network • Network Interface card operates as peer station
802.11 is the Standard that defines Wi-Fi Key Point: For purposes of auditing, your scanning equipment should be capable of detecting all flavors to be effective.
802.11 N • This will be the new standard for host/client communication. • Has been in development since early 2004. Currently expected to be approved by the end of 2009. Pre-N equipment has been on the market for years, but it may or may not be upgradeable to the final standard and often will not work with other brands. • Uses multiple antennas to boost throughput. • Backwards compatible, but maximum performance in a pure N environment. • Speed boost most useful for high bandwidth INTRANET applications, unless you have an extremely fast internet connection.
802.11 Y • Should be official by the end of 2008. • Designed for use as a wireless backbone, not for host/client applications. • Covers the “Last Mile” applications, especially where wired connections unavailable/impractical.
The Rest of the Information….. Key Point: In a perfect world, your scanning equipment should be capable of detecting all 14 channels to be effective.
Definition - MAC Address (Like SSN) • A media access control address (MAC address) is a unique identifier attached to most forms of networking equipment. The addresses are designed to be globally unique. The MAC address allows each host to be uniquely identified and allows frames to be marked for specific hosts. (Note, Hackers can spoof the MAC address.)
Definition – SSID (Like a Name) • A service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. Think of it as similar to having the company name on the side of a building. The code consists of a maximum of 32 alphanumeric characters. All wireless devices attempting to communicate with each other must share the same SSID. • There are two major variants of the SSID. Ad-hoc wireless networks that consist of client machines without an access point use the BSSID (Basic Service Set Identifier); whereas on an infrastructure network which includes an access point, the ESSID (E for Extended) is used instead. Each of these different types may be referred to in general terms as SSID. A network's SSID is often referred to as the "network name". The SSID is either broadcast automatically by the AP, or sent upon request (probe) from a user station.
First there was WEP • The 802.11b standard includes a provision for encryption called WEP (Wired Equivalent Privacy). Depending on the manufacturer and the model of the NIC card and access point, there are two levels of WEP commonly available - one based on a 40-bit encryption key and 24-bit Initialization Vector (also called 64-bit encryption and generally considered insecure) and a 104-bit key plus the 24-bit IV (so called 128 bit encryption.) Each device on the network must have the same key and that key must be manually entered into the wireless receiving device to match the key on the access point. Some proprietary solutions from vendors like Cisco have automated the passing of keys.
More WEP • WECA (Wireless Ethernet Compatibility Alliance) only certified the 64 bit WEP encryption. Thus, access points and cards supporting 128 bit and 256 bit WEP encryption may not work for all vendor wireless cards even if they provide these encryption schemes due to possible variances in the wireless chipsets used by vendors in their products. Therefore, most sites will use the 64 bit encryption to allow wireless cards from different vendors to work on their network. Some vendors like Cisco also have proprietary encryption solutions like LEAP that only work on Cisco wireless cards. For audits, the main concern is that sites using 64 bit WEP encryption are using a weak encryption standard for the security of wireless data communications. Of course, this is better than access points that are being deployed without WEP even being enabled. But not by much.
WEP Cracking • "WEP was broken back in 2000, and better solutions -- first WPA, now WPA2 -- have been readily available for five years." "Any company that cares about WLAN security should have migrated off WEP a long time ago." • “A team of German researchers devised a new attack against WEP that can cause it to fail in roughly 20 seconds on a busy 802.11g network and 80 seconds on 802.11b. If the network is idle, it can cause WEP to fail in 52 seconds on 802.11g or just over three minutes on 802.11b.” http://searchnetworking.techtarget.com/news/article/0,289142,sid7_gci1252992,00.html
802.11 i • Security standard for wireless • Specifically created to address the problems with WEP
WPA (Wi-Fi Protected Access) • WPA is a subset of the 802.11i security standard for wireless networks. It was implemented as an immediate measure to respond to the shortcomings of WEP while 802.11i was being finalized. • Encryption – uses RC4 stream cipher, 128 bit key and a 48 bit initialization vector, huge improvement over WEP
WPA - TKIP • TKIP is a wrapper that goes around the encryption that was a part of WEP. An important part of TKIP is that it changes the key used for each packet. This is the 'Temporal' part of the picture. The key is created by mixing together a combination of things, including a base key (called a Pairwise Transient Key in TKIP parlance), the MAC address of the transmitting station, and the serial number for the packet. The mixing operation is designed to put a minimum demand on the stations and access points, yet have enough cryptographic strength so that it cannot easily be broken. So basically allows for a longer, variable key than WEP
WPA – Enterprise Mode • Enterprise is meant for use with an authentication server, which distributes different keys to each user. • If a key is compromised, you only need to reset the one user rather than every user.
WPA – PSK Mode • One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short. WPA-PSK is a simplified but still powerful form of WPA most suitable for home Wi-Fi networking. To use WPA-PSK, a person sets a static key or "passphrase" as with WEP.
WPA2 • Maintains all components specified in the 802.11i standard. • The primary difference between WPA and WPA2 is the type of encryption used – the stronger Advanced Encryption Standard (AES) vs. TKIP in WPA. • WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. http://www.wi-fi.org/OpenSection/protected_access.asp
WPA2 Just like WPA, WPA2 comes in Enterprise and PSK flavors.
Audit Concerns • Are there rogue access points? • Are authorized access points adequately secured?
Why are we auditing for rogues? • Increased vulnerability to the network by extending entity network “beyond the walls” • Confidential data may be sent in the clear • Violation of entity policies/procedures for installation of wireless devices • Errors by Administrators setting up APs
Basic Tools • PC Cards/WiFi Antennas • Wi-Fi Finders • Built in XP Tools • Netstumbler • Wellenreiter • Kismet • Aircrack
The Laptop Internal or PC Card has Limits • It's very difficult to get effective results with a laptop using a PC card's tiny integrated "bulge" antenna. A fairly small cohort of PC cards has a tiny coaxial jack into which you can plug a coaxial connector leading to an external antenna. Experiments using Netstumbler and a PC card's integrated antenna alone showed that 50%-60% as many stations can be discovered using a higher powered external antenna.
The Basics of Direction • Antennas come in various shapes and sizes. They have different performance patterns and gain. • Directional antennas focus the signal in a specific direction with more power. • Omni directional antennas work great to cover uniformly in all directions.
Directional Antennas • Directional antennas are used for Point-to-Point or sometimes for Multi-Point systems depending on the setup. Directional antennas are Backfires, Yagi, Panel and dish type antennas.
Backfire • The backfire is a small directional antenna with excellent gain (15 dBi). They look similar to a parabolic dish, but the gain isn't as high. Work well for point to point or point to multipoint systems because of the excellent gain and the good noise figures.
Yagi Directional • Yagi antennas were the design of two Japanese people, Hidetsugu Yagi and Shintaro Uda, and are sometimes referred to as Yagi-Uda antennas. These antennas are typically very directional and are used for point to point, or to extend the range of a point to multi-point system. They have excellent signal strength and in the right circumstances can communicate for miles!
Panel Directional • Flat panel and sector directional antennas offer a high gain in a very thin, low profile package.
Dish Directional • One of the most powerful wireless antennas for distance. Parabolic dish antennas put out tremendous gain but are a little hard to point and make a connection with. As the gain of an antenna increases, the antenna’s radiation pattern decreases until you have a very little window to point or aim your dish correctly. Dish antennas are almost always used for a point to point system for long haul systems. The Parabolic Dish antennas work by focusing the power to a central point and beaming the radio’s signal to a specific area, kind of like the adjustable reflector on a flashlight. These antennas are highly focused and are an excellent tool to send signals a very long distance.
Omni-Directional • This is the common “Base” antenna used for Point-to-Multi-Point. Typical Omni-Directional WiFi antennas consist of Vertical Omnis, Ceiling Domes, Rubber ducks, Small Desktops and Mobile vertical antennas.
Vertical Omni • This type of antenna can act as the central point to a WiFi, WLAN or 802.11 application. Can exhibit 12dB+ of gain. You would normally find this type of antenna as the central point of an auditee’s system.
Ceiling Dome • Auditees may mount ceiling domes to form a complete wireless network.
Rubber Duck Omni • This antenna gives you approximately 2 times the range over your existing wireless AP "Stock" antenna.
Small Desktop • Supplements the rubber duck antennas provided for some APs
Mobile Vertical Omni • Provides a vast improvement over a PC Card wireless card when used for wardriving.
Wi-Fi Finders • Come in a variety of forms. • Some just show whether or not there is available Wi-Fi. • Others test to see if you can get on-line via the connection. • Others actually display the SSID and other information about the network.
2.4 GHz Wi-Fi Detector TEW-T1 • Detects 2.4 GHz wireless signals generated from 802.11b/g Wi-Fi device, cordless phone, microwave oven and wireless hidden camera • Helps Network Administrators survey the environment and locate the interference easily • Verifies Wi-Fi signal strength, allowing Better Configuration • Indicates signal strength with Diagnostic LEDS • Displays signal source with Diagnostic LEDS • Operates at 0.5 seconds for super fast signal detection • Offers Automatic-Alert, Automatic-Silent, and Manual Scan modes • Scans for 30 minutes and automatically turns off in Automatic scan mode • Supports Range of up to 20~45 meters indoor, 60~90 meters outdoor (Depends on the environment)
Wi-Fi Finders/Detectors • These are great tools to help you find an access point for use, but are not sufficient for audit purposes.
Built in XP Tool - very basic tool, but most likely available on any laptop