1 / 46

Wireless Security & Controls: Issues, Treats, Solutions & Trends

Wireless Security & Controls: Issues, Treats, Solutions & Trends. Prepared by: Greg Gabet, IBMGS Security & Internet Architect. Abstract .

ella
Download Presentation

Wireless Security & Controls: Issues, Treats, Solutions & Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Security & Controls:Issues, Treats, Solutions & Trends • Prepared by: • Greg Gabet, IBMGS • Security & Internet Architect

  2. Abstract • Wireless technology has hit critical mass before the security & controls have matured. Organizations are architecting wireless solutions for current business requirements & homes are integrating wireless environments that are often used as a platform for their business laptops to connect to the workplace. • This presentation will exam the architecture, security, & control challenges for SOHO, as well as enterprises. Emerging standards, providers, & best practices for securing & controlling wireless will be discussed. This presentation is for the intermediate to advanced practitioner.

  3. Agenda : • Motivation for Wireless in the Enterprise • Wireless Topologies,Characteristics, & Standards • Wireless Challenges, Opportunities, & Architecture issues • Specific Threats & New Authentication Mechanisms • Wireless Management Issues • Possible Architectures • Trends • Summary

  4. Enterprise WLAN Revenues % Laptops Deployed With build-in wireless ------------------------------- 2002 – 20% 2003 – 60% 2004 – 90% Consumer purchases Are 48% of sales & Enterprises are about 43%. Operators/ISPs Make up remainder. In 2003, 11% was 802.11G. Millions $5000 $4000 +30% +70% $3000 $2000 +50% $1000 $0 2000 1999 1998 2002 2001 2003 2005 2004 Source: Cahners In-Stat Group, 2001

  5. WAN (Wide Area Network) 2.5G - 3G Phone MAN (Metropolitan Area Network) 802.11, 802.16, MMDS, LMDS LAN (Local Area Network) 802.11 & HyperLan2 PAN (Personal Area Network) Bluetooth Wireless Topologies & Demographics

  6. General Characteristics of Wireless Technologies

  7. IEEE 802.11 Standards Activities

  8. 802.11- Both Freq. Bands will be Successful

  9. Security Challenges & Opportunities Increased Connection & Management Complexity: • Connections: • Difficult to assure C.I.A. of data over multiple 3rd party wireless data networks. • Enabling different makes & models of mobile devices (PDAs, Cell Phones, Laptops) work securely with new interfaces to e-business applications, especially when the security capabilities are severely restricted (VPN,PKI,Certs, ECC, CPU). • Mgmt & Integration of New Devices, OS’s, Protocols & Applications Into Security Architecture: • Variety of vendors & AP/Node management options (IBM, CA, CISCO, & • Immaturity of wireless devices, operating systems, applications & network technologies (firmware upgrades are frequent, especially for 802.11A & G, LEAP/PEAP) • Increased size of the user base increases the threat of hacker & malicious code attacks. • New Policies, Procedures, Practices, Personnel, Mechanisms, Services & Objects! Password Vulnerability: • The initial psw on wireless devices tend to be deactivated by the manufacturer or user, thus allowing unauthorized access to AP/connected devices. Unauthorized configuration of Device: • Wireless devices may have remote configuration facilities, undocumented APIs or software bugs which could be exploited . Denial-of-Service Attacks: • Jamming or continuous transmissions of large amts of data to the wireless device will use network bandwidth; thus leading to performance degradation or non-availability. Loss-of-Data: • Storage capabilities of mobile devices are increasing. If a device malfunctions, is lost, or data is accidentally deleted, with no recent data backup of lack of restoration capability, the data will be lost forever.

  10. Where & How Does Wireless Affect Corp Architecture?

  11. Security Architecture Layers & Requirements • Objects & Information: • AP, Wireless Cards, Wireless Mgmt Stations, RADIUS/LDAP servers • Security Services • Organization/Personnel responsible for: • Maintenance of AP & Wireless Card firmware upgrades • Authentication, Authorization, & Access Control to Wireless subnets/servers • Audits, Reviews, Compliance Checks for wireless components & critical settings • Network Architecture of Wireless AP Placement, redundancy, & bandwidth • Encryption & Integrity of wireless transmissions • Security Mechanisms • Tools • Sniffers, IDS, Vulnerability Assessment hardware & software • Encryption Keys • VLANs • Firewalls, RADIUS, LDAP, SNMP, etc • Information Security Policies • Wireless Usage Policy (External & Internal) • VPN Usage Policy • Wireless Placement

  12. Critical Security & Privacy Issues for Wireless LAN • According to IDC’s Mobile Council Advisory Survey, the most significant wireless security concerns are: • Management of devices’ security • Corruption of data sent to wireless devices • Malicious code & Malware (Viruses,Trojans, Worms) • Unauthorized users • Confidentiality of data sent wirelessly • Security of data stored on a handheld device

  13. Why Wireless LAN’s Create Problems • CIA can be lost for information as it passes over wireless data networks • Operators often turn off encryption & anonymous AP resets will set AP back to defaults. Note: Not all vendors provide a physically accessible reset button • War driving can collect valuable info that often shared with the Internet • Rogue access points can collect valuable info used to later break systems • Data Interception on backbone networks can result in information disclosure • RF signal jamming can lead to unavailability of mobile devices & network • One way authentication: Most wireless clients are authenticated to the network, not vice versa (one sided authentication only). This enables "man-in-the-middle" attacks to eavesdrop on transmissions • Paths of communication may pass multiple uncontrolled networks (Exec’s LAN) • Lack of Security Awareness of Users – Actually your biggest bang for buck. • Weak wireless crypto algorithms allow RF scanning & decryption of WEP keys • Physical security issues (Access points and cards are easy to steal!) • Lack of Policies, Procedures, Compliance & Audit Understanding • Lack of granularity in access – Often, an all or nothing approach to access • Minimum mainstream network infrastructure support (Probes, Agents, IDS, Radius with LEAP/PEAP/EAP support).

  14. Threats – Unauthorized Access Points • Plug-in Unauthorized Clients: An attacker tries to connect his wireless client, typically a laptop to an access point without authorization, intentional or unintentional. This is often used for those requiring ‘free’ internet access • Plug-in Unauthorized Renegade Access Point: Companies are aware that internal employees have deployed wireless capabilities on their network. An internal employee wanting to add their own wireless capabilities to the network plugs in their own access point into the wired intranet – thus creating a risk if the access point has not been properly secured. This could lead unauthorized clients then gaining access to unauthorized access points, allowing intruders into the internal network. LAN Internal Client Unsecured Rogue AP Hacker Secure Valid AP Internal Client

  15. Threats – War Driving Map Created & On Internet • War Driving: a process, named after the term War Dialing process used by hackers to locate compromisable dialup modems. Requires inexpensive equipment, typically a laptop or a PDA, Wireless card, GPS & an external “antenna” • As people are "War Driving", locating the APs & recording the GPS coordinates of the AP location, these AP maps are being shared to any attacker on the Internet. • If a company has their AP location & information shared on the Internet, their AP becomes a potential target & increases their risk.

  16. Valid Access Point Threats: Man-in-the-Middle • Access Point Clone intercepting traffic: An attacker can trick legitimate wireless clients to connect to the attacker's honey pot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's man in the middle servers. With false login prompts, the user unknowingly can give away sensitive data like passwords. LAN Hacker Rogue DHCP Server Rogue AP, not connected to internal LAN Internal Client

  17. Valid Access Point Threats: Client Attack • Client Dissociations : Forced client re-association / disassociation attacks. This will effectively causes a denial of of service on the client under attacks. A second form of this attack is to take over an established connection Internal Client Hacker LAN Rogue AP internal to the client Rogue Attack Client

  18. Threats: Security Controls • Misconfiguration issues:Many access stations analyzed have been configured in a minimal & default secure mode. Unless the administrator of the base station understands the security risks, most of the base stations will remain at a high risk level. Server Set ID (SSID) Attackers can use default SSIDs to attempt to penetrate base stations that are still in their default configuration. • Reset Issues:Included in this are reset access points. Often when an access point hangs or crashed, someone may push the reset button on the access point. This clears any WEP keys the access point may have had. • Physical Security Issues:Often security guards are not trained to recognize physical wireless attacks, nor how to detect them.

  19. Threats – WEP security • WEP Encryption Issues:802.11b standard uses encryption called WEP (Wired Equivalent Privacy). WEP has known weaknesses in how the encryption is implemented (IV). Note: WEP is better than no WEP; it at least stops casual sniffers. • Available Tools:Today, there are readily available tools for most attackers to crack the WEP keys. Airsnort, Yellowjacket, Airfart & others tools take a lot of packets (several million) to get the WEP key, on most networks this takes longer than most people are willing to wait (1 or more days). If the network is very busy, the WEP key can be cracked & obtained within 30 minutes. Because of the WEP weakness, wireless sniffing & hijacking techniques can work despite the WEP encrypted turned on. • Weak Default WEP Keys:Access points have been seen with manufacturer created WEP keys linked to the Hex encoding of the SSID of the access point. Some manufacturing companies use WEP keys which are the same as the SSID or easily guessable

  20. Limitations of 802.11 WEP Security • Shared, static WEP keys • No centralized key mgmt • Poor protection from variety of security attacks • No effective way to deal with lost or stolen adapter • Possessor has network access • Re-keying of all WLAN client devices is required • No mutual authentication • Lack of integrated user admin • Need for separate user databases; no use of RADIUS • Potential to identify user only by device attribute like MAC address • Inherent weaknesses in RC4-based WEP keys TKIP and AES 802.1X WPA

  21. 802.1X Authentication Types • LEAP (EAP Cisco Wireless) • User authentication via user ID & password • Supports Windows, CE, Linux, Mac OS, and DOS • Aggressive licensing program by Cisco to other vendors • EAP-TLS (EAP-Transport Layer Security) • User authentication via client certificates & server certificates • Supported in XP, but other Windows versions by 2004 • Currently used by Microsoft • PEAP (Protected EAP) • User authentication via user ID and password or OTP • Supported by Cisco Aironet client adapters and by Microsoft in various Windows versions • Uses server-side TLS, which requires only server certificates • EAP-TTLS • User authentication via user ID & password or OTP • Uses server-side TLS Note: EAP is Extensible Authentication Protocol

  22. 802.1X-based: Mutual Authentication Access Point RADIUS Server AP blocks all requests until authentication completes RADIUS server authenticates client Client authenticates RADIUS server Derive Derive key key Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients

  23. 802.1X/LEAP Mutual Authentication RADIUS server Start AP blocks all requests until authentication completes Request identity identity identity RADIUS server authenticates client Client authenticates RADIUS server Derive key Derive key Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients

  24. PEAP Authentication RADIUS server Use server-side EAP-TLS to authenticate RADIUS server… …& builds SSL-encrypted tunnel user database user-supplied token Use tunnel to authenticate user via token, One Time Password, or other data PEAP sets up a secure, encrypted tunnel between client and RADIUS server

  25. Remote Access Security using VPN VPN Using Secure Intranet Firewall Enterprise Internet Wireless VPN Client High Speed Hotel/Airport/Home With VPN Client

  26. 802.11 Access Using VPNs

  27. IEEE 802.11i Security for Enterprise Level Sec. • Mutual Authentication • Dynamic Session Key • Message Integrity Check (MIC) • Temporal Key Integrity Protocol (TKIP) • Initialization Vector Sequencing • Rapid Re-Keying • Per-packet Key Hashing • Future • Stronger encryption schemes such as AES

  28. WPA = “Wi-Fi Protected Access” • WPA = 802.1X + TKIP • WPA requires authentication & encryption • 802.1X authentication choices include LEAP, PEAP, TLS • WPA has Strong Industry Supporters • Adds to 802.1X & TKIP • Widespread adoption of WPA will add robust security & remove the “security issue” from the WLAN industry • WPA will become accepted as the standard • WPA compliance is needed for Wi-Fi certification of new products beginning in August 2003

  29. Rogue AP Threats – 802.1x issues • Rogue 802.1x Log errors issues : Clients authenticating with rogue access points & rogue Cisco ACS servers will show up in the rogue ACS server logs, showing user ID Failures. Hence the only unknown is the password, as the userID, SSID & MAC can all be determined. • 802.1x session termination: Authenticated clients can be sent a session termination string by a rogue access point / client combination allowing the rogue client to continue an established session. Rogue DHCP Server Rogue ACS Server 802.1x Internal wireless Client Error Log Authentication Log Valid AP

  30. Threats – Internal Issues (ie SNMP) • Weak Internal issues: Wireless base stations may have a SNMP (Simple Network Management Protocol) agent running with the default community string name of “public”, an internal rogue employee can often both read & write sensitive information & data on the base station. . • With the default of most base stations using the community word "public", potentially sensitive information can be obtained from the access point. This includes turning off WEP encryption. • Configuration Patches: Some access points can have their configurations downloaded from the internal LAN’s, due to security configurations issues,

  31. Users Personal application services Wireless/Mobile Security Critical IssuesThere is a lack of end-to-end model, non-convergent standards, & support for seamless roaming Massive user base demanding confidentiality & privacy while roaming New & innovative applications & technologies introduce many new vulnerabilities Insecure pervasive devices Wireless Applications Wireless Networks Internet Wireless transactions Wireless Devices WPAN Portals Intranet Internet services WLAN Wireless messaging Corporate office services WWAN Wireless lifestyle facilitation Weak user authentication controls Insecure RF interfaces Internet weakness still apply but are made worse by the much larger user base Data transmitted over the air with weak authentication & encryption controls New network gateways, often with weak security

  32. Threats are often not the biggest issue…….. • Security Management

  33. Basic Security 40-bit, 128-bit, 256-bitStatic Encryption Key Open Access Telecommuter & SOHO Public Access Basic Wireless Security Profiles Enhanced Security Dynamic Encryption Key Scalable Key Managem’t Mutual 802.1x/EAP AuthenticationTKIP/WPA No WEP and Broadcast Mode Enterprise Public Network Security Traveler VirtualPrivateNetwork (VPN) Special Apps./ Business Traveler

  34. Wireless Management Requirements • Standardization of Network management & configuration tools used to manage wireless networks (budget & training) • Centralized management from a network operations center • Configuration of Access Points (logistics) • Configuration of Clients & upgrade procedures (logistics & personnel) • Client Management, access revocation, dual access, single signon • Wireless policies • Logging & accounting at a centralized level • Standards Based, such as LDAP • Centralized accounting & billing (maybe) • Rogue detection & encryption confirmation • Wireless LAN Key Management • Intrusion detection & response processes will have to be extended to cover wireless • Secure Password-protected management functions • Differential Access could require multiple new groups/profiles to manage • Wireless Technology integration

  35. Wireless Policy Issues • Policy needs to dictate permitted services & usage i.e. what types of connections are permitted ? • Wireless Access is often binary. i.e. Full network access or no network access – Roles potentially need to be catered for. (scanner vs. full LAN access) • One needs a means of identifying & enforcing wireless access policies • Existing company security policies need to be updated to cater for wireless security issues • Policy needs to indicate how access will be controlled.. i.e. Time of the day • Policy requirements dictate that all access needs to be logged • User compliance & standards enforcement • Centralized control of security policies • Wireless management • Wireless intrusion alert issues • Process to update client Software levels • Intrusion detection Policies

  36. Wireless Management of Threats & Risk Mitigation • User involvement & Cost • Process Management & Standards • Audits & Controls, • User & Key administration & authorization • Application security • Environmental Security • Bandwidth Robustness • Client security & Awareness • Network Security • Physical Security • Standards & technology issues • Policy Creation • Training for Support • WEP Key Password Quality • Technology (TKIP, AES, WAP) • Compliance & Client Detection Tools • Technology & Architecture (VPN, RADIUS, FW) • Network design & AP Layout • Network Review, IDS, & Vulnerability Assessments • Education for Policy, Compliance & Access Control • Standards, Architecture, Patch Management

  37. Wireless Mgmt Must Balance all Security Weaknesses User involvement, Awareness & Roles 4 Process Management & Standards Key password quality 3 Weakness 2 1 User & key administration Audits & Controls, & IDS Weakness Application Security Environment Integrity & Robustness Strength Client Security Network Security & Technology Issues Weakness

  38. “How to” Wireless Security Issues • Common challenges faced by our customers include the following:  • How to ensure business continuity? • How to be sure our existing security controls are appropriate? • How to justify the cost of security? • How to determine what security controls need to be implemented? • How to increase awareness & make security a priority within the business? • How to be sure our existing security controls are appropriate? • How to implement end-to-end solutions covering business & IT? • How to leverage new methods & technologies? • How to prepare for an industry recognised security certification? • How to remain confident over time that we have an appropriate security level? • How to find skilled individuals? • How to Architect the solution for flexibility, scalability, reliability, & security

  39. SSID: laptop Security: PEAP, TKIP SSID: pda Security: LEAP, CKIP SSID: phone Security: WEP Client Differentiation with Separate VLANs 802.1Q wired network w/ VLANs Channel: 1 SSID: laptop VLAN: 1 Channel: 6 SSID: pda VLAN: 2 Channel: 11 SSID: phone VLAN: 3

  40. Client Differentiation with VLANs 802.1Q wired network w/ VLANs Channel: 6 SSID laptop = VLAN 1 SSID pda = VLAN 2 SSID phone = VLAN 3 SSID: laptop Security: PEAP, TKIP SSID: pda Security: LEAP, CKIP SSID: phone Security: WEP

  41. Using Firewalls to Wireless AP Services LAN Internet Firewall VLAN VLAN RADIUS AP AP

  42. Challenges & Enablers for Wireless Security • The challenges can be addressed using Major 3rd Party Security Solution Providers Technology Architecture Structured design method Session cryptography/VPNs Functional architecture File encryption Operational architecture Content and virus filtering End-to-end security design Personal firewalls Managed Intrusion Response User and device authentication Security Services User authorization Wireless PKI Intrusion detection Security management Secure & Resilient Industry Solutions Skills Processes Risk management process Risk management expertise Incident management process IT security expertise Change management process Architecture and design expertise Audit process Industry knowledge Security awareness program

  43. Wireless Security Solution Design Companies • Wireless Security Solution Design Services • Look for companies to provide the following comprehensive set of activities from the planning & design phases of proven end-to-end Wireless services. And, can be delivered individually or packaged pieces according to your needs: • Wireless Strategy • Wireless Readiness Assessment • Wireless Value • Wireless Requirements • Wireless Policy • Conceptual Architecture • Functional Architecture • Wireless Product Selection • Site Selection & Facility Design • Component Architecture • Process Development

  44. Individual: How does it work? Passively monitors the wireless network Reports policy violations Human expert needed Periodic audits Two Types of Wireless Security Auditing Techniques: Individual or Distributed • Distributed: What does it do? • Distributed: wireless clients do the work • Real-time: continuous audits • Autonomic: network fixes its problems automatically • Audit: looks for vulnerabilities, & • Locates:rogue access points

  45. Wireless IDS is Needed that can • Detect & Protect against: • WAP spoofing – “man in the middle” attacks • Denial of Service • RF Jamming • WAP misconfiguration • Rogues APs • WarDriving probes • Wireless IDS services can significantly reduce your risk from attacks to your internal network & associated data

  46. Conclusion • Wireless is rapidly growing & has potential to increase productivity, especially in SOHO, Homes, certain industries • Wireless is currently unsecure, but solutions are maturing rapidly • Wireless technology is becoming enbedded in many form factors (laptops, PDAs, cellphones, etc) • 802.11 WEP security is insufficient for the enterprise • 802.1x & 802.11i offer great improvements and mitigate several security concerns • True mobile 802.11 wireless is difficult, but Mobile IP and other technologies are tackling the problem • New technologies create new and old challenges • People, Process, Policies, & Architecture are require to deploy wireless securely.

More Related