1 / 28

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy. 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN wireless Security. Exam Essentials. Understand the risk of the rogue access point.

jenski
Download Presentation

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy • 802.11 Security Basics • Legacy 802.11 security • Robust Security • Segmentation • Infrastructure Security • VPN wireless Security

  2. Exam Essentials • Understand the risk of the rogue access point. • Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs. • Define peer-to-peer attacks. • Understand that peer-to-peer attacks can happen via an access point or through an ad hoc network. Explain how to defend against this type of attack. • Know the risks of eavesdropping. • Explain the difference between casual and malicious eavesdropping. Explain why encryption is needed for protection. • Define authentication and hijacking attacks. • Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.

  3. Exam Essentials • Explain wireless denial-of-service attacks. • Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored. • Understand the types of wireless intrusion solutions. • Explain the difference between a WIDS and a WIPS. Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented. • Understand the need for a wireless security policy. • Explain the difference between general and functional policies.

  4. Wireless Attacks • Portal to the wired network must be protected • Limit unauthorized access • Limit access to management consoles • Don’t want someone changing settings or passwords • Peer to peer • Watch out for unsecured netwroks Pg 470

  5. Rogue Wireless Devices • Non-Authorized on the network • Not controlled by admin • Set up by hacker • To get access or passwords • Set up by user • Ease of use • Open an unsecured portal to wired network • 802.1x can also help here Pg 471

  6. Peer to Peer • Client attacking client on a WiFi network • Ad-hoc or infrastructure • On infrastructure network, you can disable client to client communications • Public Secure Packet Forwarding • Beware of push to talk Pg 472

  7. Eavesdropping • Easy to do • Casual • Wardriving • Looking for wireless networks • Netstumbler • Malicious • Protocol analyzers and collection of data • Passive, cannot be detected by WIDS/WIPS • Use encryption to protect network Pg 472

  8. Cracking!! • WEP has been cracked • TKIP/CCMP are still secure • Authentication Attacks • Some systems are less secure than others • Dictionary attacks • PSK is weak as well • Will let hackers onto AP • Longer passphrases help Pg 475

  9. MAC Spoofing • MAC Filtering is weak security • Better than nothing Pg 477

  10. Management Interface • Don’t let hackers configure your devices • Disable unused interfaces • SNMP, Telnet, HTTP, • Use more secure interface • SSH, HTTPS • General policy is that management should be done from wired interface Pg 478

  11. Wireless Hijacking • Attacker configures AP to mimic enterprise AP • Same SSID • Attacker can then capture traffic • Can then either set up for man in the middle • Send “real” traffic on and capture details • Bridging the fake AP to real AP • Also can use WiFi phishing • Setting up a false captive portal Pg 479

  12. Denial Of Service • Prevent legitimate users from getting access • Hard to prevent • Need to remove device generating noise/traffic • Layer 1 jamming • Layer 2 • Deauthentication or deassociation packets • Flooding the AP with requests • Spectrum Analyzer can help with layer 1 • Protocol Analyzer will help with Layer 2 Pg 479

  13. Other Attacks • Vendor Specific • Buffer overflow that attacks OS • Social Engineering • Tricking someone into giving away information • PSK!!! Pg 481

  14. Intrusion Monitoring • Wireless Intrusion Detection Systems (WIDs) • Wireless Intrusion Prevention Systems (WIPS) • Can mitigate or respond Pg 481

  15. WIDS • Wired ports must be controlled • Prevent rogue APs • WIDS often go up before network • Check for rogue APs and usage • WIDS server • Management Console • Sensors Pg 482

  16. WIDS Sensors • Dedicated AP like devices that listen and report back to the management console/server • Can also be APs set into sensor mode • Or APs that scan as well as process traffic Pg 482

  17. WIDS Sensors Pg 482

  18. WIDS • Best at watching for layer 2 attacks • Can set alarms for “risky” traffic • Set thresholds • Different alert types • Overlay • Integrated • Integration enabled Pg 482

  19. WIPS • Infrastructure device • This classification refers to any client station or access point that is an authorized member of the company’s wireless network. A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s radio card MAC addresses into the system. • Unknown device • The unknown device classification is assigned automatically to any new 802.11 radios that have been detected but not classified as rogues. Unknown devices are considered interfering devices and are usually investigated further to determine whether they are a neighbor’s devices or a potential future threat. • Known device • This classification refers to any client station or access point that is detected by the WIPS and whose identity is known. A known device is initially considered an interfering device. The known device label is typically manually assigned by an administrator to radio devices of neighboring businesses that are not considered a threat. Pg 485

  20. WIPS • Rogue device • The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure. • If a client is classified as a rogue, the WIPs can mitigate attack • Deauthenticate, deassociate • Spoof MAC of Rogue Pg 485

  21. WIPS • Rogue device • The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure. • If a client is classified as a rogue, the WIPs can mitigate attack • Deauthenticate, deassociate • Spoof MAC of Rogue • Use SNMP to disable the wired port it is connected to Pg 485

  22. Mobile WIDS • Laptop Version of the products • Mobile capabilities • Radio Card is sensor • Use to physically track down a Rogue AP • Some layer 1 functionality built in Pg 485

  23. Spectrum Analyzer • Use for security as well as surveys • Many can look at the RF signature and tell you what kind of device it is • Mobile and distributed • Like WIDs Pg 487

  24. Wireless Security Policy • How and what are you monitoring • How often should PSKs change Pg 487

  25. Wireless Security Policy • General Security Policy • Functional Security Policy • Legislative Compliance Pg 487

  26. Policy Recommendations • General Security Policy • Functional Security Policy • Legislative Compliance Pg 490

  27. Exam Essentials • Understand the risk of the rogue access point. • Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs. • Define peer-to-peer attacks. • Understand that peer-to-peer attacks can happen via an access point or through an ad hoc network. Explain how to defend against this type of attack. • Know the risks of eavesdropping. • Explain the difference between casual and malicious eavesdropping. Explain why encryption is needed for protection. • Define authentication and hijacking attacks. • Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.

  28. Exam Essentials • Explain wireless denial-of-service attacks. • Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored. • Understand the types of wireless intrusion solutions. • Explain the difference between a WIDS and a WIPS. Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented. • Understand the need for a wireless security policy. • Explain the difference between general and functional policies.

More Related