1 / 30

Manage & Secure Your Wireless Connections

Manage & Secure Your Wireless Connections. Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference June 2009 MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA, Security+, I-Net+, Network+, Server+, A+ erstaats@gmail.com

jacie
Download Presentation

Manage & Secure Your Wireless Connections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Manage & Secure Your Wireless Connections Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference June 2009 MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA, Security+, I-Net+, Network+, Server+, A+ erstaats@gmail.com Resources available @ http://es-es.net

  2. Why Manage? • Bandwidth (when downloading or using VoIP) • Co-channel interference (phones, microwaves, rogue AP’s) • Old Firmware (check for updates every quarter) • Management and control frames can’t be encrypted, nor can header values like ESSID and MAC address • Stumblers <CommView> and WEP/PSK crackers • Mobile devices • DoS attacks (point-and-click raw packet injection tools) • Forged messages • Demand for more wireless access • BackTrack (www.remote-exploit.org) • 802.11n issues

  3. Wireless Vulnerabilities

  4. Wireless Vulnerabilities

  5. Overlooked: Site Survey • What types of interference are you going to contend with? •  What distances do you need to broadcast? •  What types of data are you going to support over WIFI? (data/voice) network access •  Set up worst-case scenario for testing • Know your signal-to-noise ratio • You should expect an interview before any testing is done (how many users, roaming, location of wiring closets) Adapted from: Certified Wireless Network Administrator certification Course available at::http://www.cwnp.com/

  6. Changing Default Settings • Change the default logon password and make it long! • All defaults are known and published on the Net • http://www.phenoelit.de/dpl/dpl.html updated often • AP Management Interface • HTTP, SNMP, Telnet • HTTP login • Linksys: UID=blank PW=admin • SNMP (disable SNMP or use a management VLAN that is secure) • All: PW=public • Change default open systems to WPA2: use a long passphrase

  7. Cell Sizing • How far is your WIFI signal going? (that is called your cell size) • Can’t cover whole building? • Better antenna • MIMO • 802.11n • Power setting • The cell size is usually adjusted by the power setting • Go outside and see how far your wireless signal is reaching (you will be surprised)

  8. ESSID Naming • Identifies network • Helps others identify whether or not you have left default settings on • Broadcast on by default • Once again with the default settings, your wireless device broadcasts its name, saying, “My name is … connect to me” • Turning off SSID broadcasting is called “cloaking”; can cause issues in enterprise systems • Avoid naming your SSID a private or personal code (It’s not a password!!! Even cloaked ESSID’s are easily discovered )

  9. MAC Filtering • A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made) • Does not scale to large networks • Relatively easy to defeat • Good option for home users

  10. Authentication with 802.1x • Authenticates users before granting access to L2 media • Makes use of EAP (Extensible Authentication Protocol) • PEAP, EAP-TLS, EAP-TTLS, etc. • 802.1x authentication happens at L2 – users will be authenticated before an IP address is assigned

  11. Encrypt the Data • WEP • Simple & easy to crack • No key management • It is worse than no encryption • TKIP (Temporal Key Integrity Protocol) WPA/WPA2 • Works on legacy hardware • Has been cracked • AES used in WPA 2 • Considered the best option • FIPS 140-2 approved (Federal Information Processing Standard) • Use with 802.1x

  12. Encryption • WEP – First Wireless Security • Cracked -- Any middle-schooler can crack your WEP key in short order • WPA • Cracked… but • Key changes • WPA2 • Cracked… but • Harder to crack than WPA; don’t use PSK • 802.1x • Uses server to authorize user • Can be very secure • 802.11i • AES encryption – “uncrackable”

  13. Authorize Data • Most organizations do a decent job of authentication (who the user is), but a poor job of authorization (what the user is allowed to do); NAC’s/NAP’s and 802.11i help this issue • Mobile networks are typically multi-use • Authentication provides you with user identity – now use it! Identity-aware firewall policies can restrict what a user can do, based on that user’s needs

  14. Home Wireless Overlooked • Change default settings -- SSID and passwords • Use WPA (or better, WPA2); use long PSK • Use a MAC filter • Turn off SSID broadcasting • Know how far your wireless signal is reaching • Turn off wireless when not being used, & turn off DHCP or limit DHCP • Disable remote administration • Update Firmware on AP and wireless cards semi-annually • Secure your home machines • Current AV • Firewall (if the wireless router has a firewall option, turn it on) • Spyware protection • Auto update Windows • Use VPN • Common sense (check the “Secure Your Laptop Section”)

  15. Secure Your Laptop • Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK • BETTER YET use another firewall (i.e. Kerio, Jetico, or Zone Alarm) • Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck “This is a computer-to-computer (ad-hoc) network” > OK • Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck “File and Printer Sharing” > OK • Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your administrator user account and reset the password

  16. VPN Solutions • AnchorFree's Hotspot Shield, a free software download. Install it on a Windows PC Paid VPN Solutions • WiTopia's personalVPN, • HotspotVPN (SSL) • VPN connections require installation of a utility on the computer

  17. Teach Hotspot Security • Use a personal firewall • Use anti-virus software (update daily or hourly) • Update your operating system and other applications (i.e. Office, Adobe Reader) regularly • Turn off file sharing • Use Web-based e-mail that employs secure http (https) • Use a virtual private network (VPN) • Password-protect your computer and important files (make sure your administrator account has a good long password) • Encrypt files before transferring or e-mailing them • Make sure you're connected to a legitimate access point • Be aware of people around you • Properly log out of web sites by clicking log out instead of just closing your browser or typing in a new Internet address • Use a more secure browser Chrome in private mode

  18. TIPS for WIFI at Work • Use a wireless system that has a centrally managed controller and reporting system • Name all your AP's with the same name so if the signal gets blocked and they then get a stronger signal from another work AP they do not have to re-authenticate to the work wireless network • Make sure all your AP's are on the same subnet if you are doing AD authentication • Make sure the work network is the only one listed on the preferred networks • Use a wireless firewall (Motorola) • Know your air space issues (AirMagnet) • I prefer the single channel solution

  19. TIPS for WIFI at Work (cont.) • Make sure laptops are set to infrastructure mode • Make sure the “Automatically connect to non-preferred networks” is unchecked • Use 802.1x (or better, 802.11i) • Use a WIPS (Wireless Intrusion Prevention System); look at log files • Use NAC • Have WIFI policies • Disable WIFI card if plugged into network • Have users take home a secure AP that will tunnel back into the corporate network (Aruba, Motorola)

  20. A Layered Approach

  21. Key Security Principles • Principle of Least Privilege • Authentication, identity-based security, firewalls • Defense in depth • Authentication, encryption, intrusion protection, client integrity • Prevention is ideal; detection is a must • Intrusion detection systems, log files, audit trails, alarms, and alerts • “Know your enemies & know yourself” (Sun Tzu) • Integrated centralized management

  22. Wireless Gold Standard • Centralized wireless • Have and update WIFI policies • Keep clients updated – drivers too! • Guest access on separate VLAN / Network • Wireless intrusion detection • Locate and protect against rogue APs • WPA-2 • Device authentication using 802.1x and PEAP • User authentication using 802.1x and PEAP • AES for link-layer encryption • Long (not strong) passwords (15 character) • Token-card products • Protect wireless users from other wireless users • Protect sections of the network from unauthorized access

  23. Must Have a WIFI Policy • At a minimum, the policy should involve continuous review of potential threats and vulnerabilities and should deal with the following: • Overall policy • Access control <this includes non-enterprise devices> • Usage management and monitoring • Security monitoring <this includes non-enterprise devices> • Network security <this includes non-enterprise devices> • Virus protection <this includes non-enterprise devices> • Encryption <this includes non-enterprise devices> • Pertinent laws <this includes non-enterprise devices> • Incident response <this includes non-enterprise devices> • Enforcement <this includes non-enterprise devices>

  24. Captive Portals for Guests • Browser-based authentication • SSL encrypted • Use for guest access only • Put on separate VLAN or network

  25. Controller Dashboard

  26. 802.11n Issues • Frame aggregation • Block Acknowledgment • 40 MHz channel bonding • Spoofed duration fields • Only channel 3,9 do not overlap with 40 MHz channels on the 2.4 range • AP Placement is 1800 different

  27. What About “NAC”? • Identity-based policy control • Assess user role, device, location, time, application • Policies follow users throughout network • Health-based assessment • Client health validation • Remediation • Ongoing compliance • Network-based protection • Stateful firewalls to enforce policies and quarantine • User/device blacklisting based on policy validation • We use Bradford for our NAC at GCA Excellent Pricing for Edu’s

  28. Shameless Plug • Presentations on my site located at • www.es-es.net • Come join my afternoon lecture @ 1:30pm • Session 3: Intrusion Prevention from the Inside Out • To learn more about GCA (Georgia Cumberland Academy) • www.gcasda.org

  29. Resources: Software • Air Magnet http://www.airmagnet.com/products/demo-download.php • Net Stumbler –Free http://www.netstumbler.com/downloads/ • Mini Stumbler –Free http://www.netstumbler.com/downloads/ • Aircrack-2.1 802.11 sniffer and WEP key cracker for Windows and Linux. -Free http://www.cr0.net:8040/code/network/

  30. Resources: Links • CWNP Learning Center has over 1000 free white papers, case studies: http://www.cwnp.com/learning_center/index.html • free electronic site survey forms (excellent):http://www.cwnp.com/mlist/subscribe.php • GUIDE TO MASTERING NEGOTIATIONS: http://common.ziffdavisinternet.com/download/0/2537/whiteboardtoview.pdf

More Related