280 likes | 405 Views
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy. 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN wireless Security. Exam Essentials. Understand the risk of the rogue access point.
E N D
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy • 802.11 Security Basics • Legacy 802.11 security • Robust Security • Segmentation • Infrastructure Security • VPN wireless Security
Exam Essentials • Understand the risk of the rogue access point. • Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs. • Define peer-to-peer attacks. • Understand that peer-to-peer attacks can happen via an access point or through an ad hoc network. Explain how to defend against this type of attack. • Know the risks of eavesdropping. • Explain the difference between casual and malicious eavesdropping. Explain why encryption is needed for protection. • Define authentication and hijacking attacks. • Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
Exam Essentials • Explain wireless denial-of-service attacks. • Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored. • Understand the types of wireless intrusion solutions. • Explain the difference between a WIDS and a WIPS. Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented. • Understand the need for a wireless security policy. • Explain the difference between general and functional policies.
Wireless Attacks • Portal to the wired network must be protected • Limit unauthorized access • Limit access to management consoles • Don’t want someone changing settings or passwords • Peer to peer • Watch out for unsecured netwroks Pg 470
Rogue Wireless Devices • Non-Authorized on the network • Not controlled by admin • Set up by hacker • To get access or passwords • Set up by user • Ease of use • Open an unsecured portal to wired network • 802.1x can also help here Pg 471
Peer to Peer • Client attacking client on a WiFi network • Ad-hoc or infrastructure • On infrastructure network, you can disable client to client communications • Public Secure Packet Forwarding • Beware of push to talk Pg 472
Eavesdropping • Easy to do • Casual • Wardriving • Looking for wireless networks • Netstumbler • Malicious • Protocol analyzers and collection of data • Passive, cannot be detected by WIDS/WIPS • Use encryption to protect network Pg 472
Cracking!! • WEP has been cracked • TKIP/CCMP are still secure • Authentication Attacks • Some systems are less secure than others • Dictionary attacks • PSK is weak as well • Will let hackers onto AP • Longer passphrases help Pg 475
MAC Spoofing • MAC Filtering is weak security • Better than nothing Pg 477
Management Interface • Don’t let hackers configure your devices • Disable unused interfaces • SNMP, Telnet, HTTP, • Use more secure interface • SSH, HTTPS • General policy is that management should be done from wired interface Pg 478
Wireless Hijacking • Attacker configures AP to mimic enterprise AP • Same SSID • Attacker can then capture traffic • Can then either set up for man in the middle • Send “real” traffic on and capture details • Bridging the fake AP to real AP • Also can use WiFi phishing • Setting up a false captive portal Pg 479
Denial Of Service • Prevent legitimate users from getting access • Hard to prevent • Need to remove device generating noise/traffic • Layer 1 jamming • Layer 2 • Deauthentication or deassociation packets • Flooding the AP with requests • Spectrum Analyzer can help with layer 1 • Protocol Analyzer will help with Layer 2 Pg 479
Other Attacks • Vendor Specific • Buffer overflow that attacks OS • Social Engineering • Tricking someone into giving away information • PSK!!! Pg 481
Intrusion Monitoring • Wireless Intrusion Detection Systems (WIDs) • Wireless Intrusion Prevention Systems (WIPS) • Can mitigate or respond Pg 481
WIDS • Wired ports must be controlled • Prevent rogue APs • WIDS often go up before network • Check for rogue APs and usage • WIDS server • Management Console • Sensors Pg 482
WIDS Sensors • Dedicated AP like devices that listen and report back to the management console/server • Can also be APs set into sensor mode • Or APs that scan as well as process traffic Pg 482
WIDS Sensors Pg 482
WIDS • Best at watching for layer 2 attacks • Can set alarms for “risky” traffic • Set thresholds • Different alert types • Overlay • Integrated • Integration enabled Pg 482
WIPS • Infrastructure device • This classification refers to any client station or access point that is an authorized member of the company’s wireless network. A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s radio card MAC addresses into the system. • Unknown device • The unknown device classification is assigned automatically to any new 802.11 radios that have been detected but not classified as rogues. Unknown devices are considered interfering devices and are usually investigated further to determine whether they are a neighbor’s devices or a potential future threat. • Known device • This classification refers to any client station or access point that is detected by the WIPS and whose identity is known. A known device is initially considered an interfering device. The known device label is typically manually assigned by an administrator to radio devices of neighboring businesses that are not considered a threat. Pg 485
WIPS • Rogue device • The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure. • If a client is classified as a rogue, the WIPs can mitigate attack • Deauthenticate, deassociate • Spoof MAC of Rogue Pg 485
WIPS • Rogue device • The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure. • If a client is classified as a rogue, the WIPs can mitigate attack • Deauthenticate, deassociate • Spoof MAC of Rogue • Use SNMP to disable the wired port it is connected to Pg 485
Mobile WIDS • Laptop Version of the products • Mobile capabilities • Radio Card is sensor • Use to physically track down a Rogue AP • Some layer 1 functionality built in Pg 485
Spectrum Analyzer • Use for security as well as surveys • Many can look at the RF signature and tell you what kind of device it is • Mobile and distributed • Like WIDs Pg 487
Wireless Security Policy • How and what are you monitoring • How often should PSKs change Pg 487
Wireless Security Policy • General Security Policy • Functional Security Policy • Legislative Compliance Pg 487
Policy Recommendations • General Security Policy • Functional Security Policy • Legislative Compliance Pg 490
Exam Essentials • Understand the risk of the rogue access point. • Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs. • Define peer-to-peer attacks. • Understand that peer-to-peer attacks can happen via an access point or through an ad hoc network. Explain how to defend against this type of attack. • Know the risks of eavesdropping. • Explain the difference between casual and malicious eavesdropping. Explain why encryption is needed for protection. • Define authentication and hijacking attacks. • Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
Exam Essentials • Explain wireless denial-of-service attacks. • Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored. • Understand the types of wireless intrusion solutions. • Explain the difference between a WIDS and a WIPS. Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented. • Understand the need for a wireless security policy. • Explain the difference between general and functional policies.