1.4k likes | 1.59k Views
Ch. 8 – Security. This presentation was originally created by Prof. Rick Graziani. Few Modifications were made by Prof. Yousif. Overview. The goals of network security are to maintain integrity, protect confidentiality, and ensure availability.
E N D
Ch. 8 – Security This presentation was originally created by Prof. Rick Graziani. Few Modifications were made by Prof. Yousif
Overview • The goals of network security are to maintain integrity, protect confidentiality, and ensure availability. • The exponential growth of networking, including wireless technologies, has lead to increased security risks. • Many of these risks are due to hacking, as well as improper uses of network resources. • The specific weaknesses and vulnerabilities of WLANs will be covered. • Security configuration for APs, bridges, and clients will be shown and explained.
What is security? • Security usually refers to ensuring that users can perform only the tasks that they are authorized to do and can obtain only the information that they are authorized to have.
WLAN vulnerabilities • WLANs are vulnerable to specialized attacks. • Many of these attacks exploit technology weaknesses since 802.11 WLAN security is relatively new. • There are also many configuration weaknesses since some companies are not using the security features of WLANs on all their equipment. • Many devices are shipped with default administrator passwords. CommView DriftNet
WLAN threats • There are four primary classes of threats to wireless security: • Unstructured threats - individuals using easily available hacking tools • Structured threats - Hackers who are more highly motivated and technically competent. These people know wireless system vulnerabilities, and they can understand and develop exploit-code, scripts, and programs. • External threats - They work their way into a network mainly from outside the building such as parking lots, adjacent buildings or common areas. • Internal threats - internal access and misuse account for 60 to 80 percent of reported incidents.
Security Fundamentals • Wireless attack methods can be broken up into three categories: • Reconnaissance • Access attack • Denial of Service (DoS)
Reconnaissance • Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. • Not usually illegal, but is illegal in some countries. • It is also known as information gathering and it usually precedes an actual access or DoS attack. • Reconnaissance is similar to a thief scouting a neighborhood for unsecure homes. • Wireless reconnaissance is often called wardriving.
Stumbler Code of Ethics v0.2 • http://www.worldwidewardrive.org/ • By RendermanRender@Renderlab.net • These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them and to inform others of them to help keep this hobby safe and legal. • 1. Do Not Connect!!: • At no time should you ever connect to any AP's that are not your own. Disable client managers and TCP/IP stacks to be sure. Simply associating can be interpreted as computer trespass by law enforcement. • 2. Obey traffic laws: • It's your community too, the traffic laws are there for everyone's safety including your own. Doing doughnuts at 3am gets unwanted attention from the authorities anyways.
Stumbler Code of Ethics v0.2 • 3. Obey private property and no-trespassing signs: • Don't trespass in order to scan an area. That's what the directional antenna is for :) You wouldn't want people trespassing on your property would you? • 4. Don't use your data for personal gain: • Share the data with like-minded people, show it to people who can change things for the better, use it for education but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity. • 5. Be like the hiker motto of 'take only pictures, leave only footprints': • Detecting SSID's and moving on is legal, anything else is irresponsible to yourself and your community. • 6. Speak intelligently to others: • When telling others about wardriving and wireless security, don't get sensationalistic. Horror stories and FUD are not very helpful to the acceptance of wardrivers. Speak factually and carefully, Point out problems, but also point out solutions, especially how we are not the problem because we don't connect.
Stumbler Code of Ethics v0.2 • 7. If/When speaking to media, remember you are representing the community: • Your words reflect on our entire hobby and the rest of us. Do not do anything illegal no matter how much they ask. They may get pissed off, but at least you have demonstrated the integrity that this hobby requires. • This document is merely a set of suggestions for the Wardriving community, assembled over time from the Wardriving community. This is a living document so it will be updated from time to time. Suggestions and comments should be sent to Render@Renderlab.net. Feel free to copy, just make sure to leave the credits intact and a link back to the original if possible.
Reconnaissance • Commercial wireless protocol analyzers like AiroPeek (by WildPackets), AirMagnet, or Sniffer Wireless can be used to eavesdrop on WLANs. • Free protocol analyzers like Ethereal or tcpdump fully support wireless eavesdropping under Linux. • Utilities used to scan for wireless networks can be active or passive. • Passive tools, like Kismet, transmit no information while they are detecting wireless networks.
Access • System access, in this context, isthe ability for an unauthorized intruder to gain access to a device for which the intruder does not have an account or password. • Entering or accessing systems to which one does not have authorized access usually involves running a hack script or tool that exploits a known vulnerability of the system or application being attacked. • Includes • Exploitation of weak or non-existent passwords • Exploitation of services such as HTTP, FTP, SNMP, CDP, and Telnet. AirSnort
Access - Rogue AP Attack • Most clients will associate to the access point with the strongest signal. If an unauthorized AP, which is generally a rogue AP, has a strong signal, clients will associate to the rogue AP. • The rogue APwill have access to the network traffic of all associated clients. • The rogue AP can also use ARP and IP spoofing to trick clients into sending passwords and sensitive information.
Access - Wired Equivalent Privacy (WEP) Attacks • Attacks against WEP include Bit Flipping, Replay Attacks, and Weak IV collection. • Many WEP attacks have not been released from the laboratory, but they are well documented. • One utility, called AirSnort,captures weak Initialization Vectors to determine the WEP key being used. AirSnort
Denial of service (DoS) • DoS is when an attacker disables or corrupts wireless networks, systems, or services, with the intent of denying the service to authorized users. • DoS attacks take many forms. • In most cases, performing the attack simply involves running a hack, script, or tool.
One utility, called Wlan Jack, sends fake disassociation packets, which disconnect 802.11 clients from the access point.
The WLAN security wheel • An effective wireless security policy works to ensure that the network assets of the organization are protected from sabotage and from inappropriate access, which includes both intentional and accidental access. • All wireless security features should be configured in compliance with the security policy of the organization. • If a security policy is not present, or if the policy is out of date, the policy should be created or updated before deciding how to configure or deploy wireless devices.
First generation wireless security • Many WLANs used the Service Set Identifier (SSID) as a basic form of security. • Some WLANs controlled access by entering the media access control (MAC) address of each client into the wireless access points. • Neither option was secure, since wireless sniffing could reveal both valid MAC addresses and the SSID.
AP: "Allow any SSID" • Most access points have options like "SSID broadcast" and "Allow any SSID". • These features are usually enabled by default and make it easy to set up a wireless network. • The "Allow any SSID" option permits the access point to allow access to a client with a blank SSID. • The "SSID broadcast"sends beacon packets that advertise the SSID. • Disabling these two optionsdoes not secure the network, since a wireless sniffer can easily capture a valid SSID from normal WLAN traffic. • SSIDs should not be considered a security feature.
AP: "Allow any SSID" No Client SSID, but Associated! Set Guest Mode SSID • If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. • The access point includes the guest SSID in its beacon. • By default, the access point's default SSID, tsunami, is set to guest mode. • However, to keep your network secure, you should disable the guest mode SSID on most access points. AP Default
AP: “Do NOT allow any SSID" No Client SSID, NOT Associated! • Setting the Guest Mode SSID to NONE, will not allow clients that do not have and SSID to be able to associate. • Remember, it’s not difficult for someone to get the SSID, so this should not be a security measure. • The next step should be configuring WEP, WPA, or some other authentication/encryption on your AP. • You cannothave the same SSID set as Guest Mode and authentication/encryption. Changed to NONE
Wired equivalent privacy (WEP) AP • The IEEE 802.11 standard includes WEP to protect authorized users of a WLAN from casual eavesdropping. • The IEEE 802.11 WEP standard specified a 40-bit key, so that WEP could be exported and used worldwide. • Most vendors have extended WEP to 128 bits or more. • When using WEP, both the wireless client and the access point must have a matching WEP key. • WEP is based upon an existing and familiar encryption type, Rivest Cipher 4 (RC4). 128 bit WEP is sometimes referred to, and more accurately, as 104 bit WEP. Also, be sure Transmit Key numbers match, I.e. Key 1 on the both AP and ACU. ACU
Authentication and association • Open Authentication and Shared Key Authentication are the two methods that the 802.11 standard defines for clients to connect to an access point. • The association process can be broken down into three elements known as probe, authentication, and association. • This section will explain both authentication methods. Probe process Authentication process Association process Successful Authentication Successful Association State 1 Unauthenticated Unassociated State 2 Authenticated Unassociated State 3 Authenticated Associated Deauthentication Disassociation
Open Authentication • Open Authentication is basically a null authentication, which means there is no verification of the user or machine.
Authentication Process (Review) • On a wired network, authentication is implicitly provided by the physical cable from the PC to the switch. • Authentication is the process to ensure that stations attempting to associate with the network (AP) are allowed to do so. • 802.11 specifies two types of authentication: • Open-system • Shared-key (makes use of WEP)
Authentication Process – Open-System (Review) • Open-system authentication is really “no authentication”. • Open-system authentication is the only method required by 802.11 • You could buy an AP that doesn’t support Shared-key • The client and the station exchange authentication frames.
Authentication Process – Open-System (Review) • The client: • Sets the Authentication Algorithm Number to 0 (open-system) • Set Authentication Transaction Sequence Number to 1 • The AP: • Sets the Authentication Algorithm Number to 0 (open-system) • Set Authentication Transaction Sequence Number to 2 • Status Code set to 0 (Successful) Frame Control omitted in this Authentication Response
Open Authentication • Typical Open Authentication on both AP and Client with No WEP keys
Open Authentication and WEP • Remember there are three steps to Association: • Probe • Authentication • Association • A client can associate with an AP, but use WEP to send the encrypted data packets. • Authentication and data encryption are two different things. • Authentication – Is the client allowed to associate with this AP? • Encryption – Encrypts the data (payload) and ICV (Integrity Check Value) fields of the 802.11 MAC, not the other fields. • So a client could Associate with the AP, using Open Authentication (basically no authentication), but use WEP to encrypt the data frames sent after its associated.
Open Authentication and WEP • In some configurations, a client can associate to the access point with an incorrect WEP key or even no WEP key. • The AP must be configured to allow this (coming). • A client with the wrong WEP key will be unable to send or receive data, since the packet payload will be encrypted. • Keep in mind that the header is not encrypted by WEP. • Only the payload or data is encrypted. Associated but data cannot be sent or received, since it cannot be unencrypted.
Open Authentication - Optional WEP Encryption (AP) • 802.11 allows client to associate with AP. • Cisco AP must have WEP Encryption set to Optional • Association successful with any of these options on the client: • Matching WEP key • Non-matching WEP key • No WEP key
Authentication Process – Shared-Key • Shared keyrequires the client and the access point to have the same WEP key. • An access point using Shared Key Authentication sends a challenge text packet to the client. • If the client has the wrong key or no key, it will fail this portion of the authentication process. • The client will not be allowed to associate to the AP.
Authentication Process – Shared-Key (Review) • Shared-key authentication uses WEP (Wired Equivalent Privacy) and can only be used on products that support WEP. • 802.11 requires any stations that support WEP to also support shared-key authentication.
Authentication Process – Shared-Key (Review) • WEP is an encryption algorithm, not a method of authentication. • Shared-key authentication makes use of WEP, and therefore can only be used on APs and clients that implement WEP. • However, 802.11 requires that any stations implementing WEP also implement shared key authentication. • Shared-key authentication requires that a shared key be distributed to stations before attempting authentication. Shared-key = RadiaPerlman Shared-key = RadiaPerlman Authentication Request with Challenge Text Authentication Response with Status Code
Authentication Process – Shared-Key (Review) • The client: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 1 • The AP: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 2 • Status Code set to 0 (Successful) • Challenge Text (later) • The client: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 3 • Challenge Text (later) • The AP: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 4 • Status Code set to 0 (Successful)
Authentication Process • Authentication • Open-System • Shared-Key (WEP) • Encryption • None • WEP only or
Access Point Authentication • Open Authentication—Allows your client adapter, regardless of its WEP settings, to authenticate and attempt to communicate with an access point. Open Authentication is the default setting. • Shared Key Authentication—Allows your client adapter to communicate only with access points that have the same WEP key. This option is available only if Use Static WEP Keys is selected. • In shared key authentication, the access point sends a known unencrypted "challenge packet" to the client adapter, which encrypts the packet and sends it back to the access point. The access point attempts to decrypt the encrypted packet and sends an authentication response packet indicating the success or failure of the decryption back to the client adapter. If the packet is successfully encrypted/decrypted, the user is considered to be authenticated. • Note Cisco recommends that shared key authentication not be used because it presents a security risk.
Encryption Modes • Indicates whether clients should use data encryption when communicating with the device. The three options are: • None - The device communicates only with client devices that are not using WEP. • WEP Encryption - Choose Optional or Mandatory. • If optional, client devices can communicate with this access point or bridge with or without WEP. • If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits.
In Summary • Client • Use Open Authentication on the client (does not use WEP, challenge transaction, during authentication). • Use WEP for Data Encryption. • AP • Use Open Authentication • Use Mandatory WEP Encryption, Devices not using WEP are not allowed to communicate.
Wi-Fi WPA Presentation • Welcome to the Wi-Fi Protected Access (WPA) Security Web page. Here you will find all the latest updates on WPA and the Wi-Fi Alliance's wireless LAN security improvements. • A 60-minute Web cast regarding WPA and the Wi-Fi Alliance's response to the need for improved WLAN security was held on June 11, 2003. The Web cast included a 40-minute presentation titled "Wi-Fi Protected Access: Locking Down the Link," in which Michael Disabato (Senior Analyst, Burton Group) reviewed the features and benefits of WPA, highlighted wired equivalent privacy (WEP) weaknesses, discussed wireless LAN implementation issues, reviewed the second phase of WPA (WPA2) and provided WLAN security recommendations. Mr. Disabato's presentation was followed by a 20-minute question and answer session that included several of the industry's most knowledgable WLAN security experts. http://www.wifialliance.org/opensection/protected_access.asp
Secure 802.11 WLANs Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems, authors of 802.11 Wireless LAN Fundamentals for allowing me to use their graphics and examples for this part of the presentation.
Secure 802.11 WLANs • WLAN industry recognized the vulnerabilities of 802.11 authentication and data privacy. • Changes are being incorporated into the 802.11i draft standard. • To date, 802.11i draft has not been passed as a standard. (Due May 2004) • Wi-Fi Alliance has put together a subset of the components of 802.11i called Wi-Fi Protected Access (WPA). • This part of the presentation explains 802.11i and WPA.
Secure 802.11 WLANs • Many mistakenly believe WEP to be the only component to WLAN security. • Wireless security consists of four facets: • The Authentication Framework – The mechanism that accommodates the authentication algorithm by securely communicating messages between the client, AP, and authentication Server. • The Authentication Algorithm – Algorithm that validates the user credentials. • The Date Privacy Algorithm – Algorithm that provides data privacy across the wireless medium for data frames. • The Date Integrity Algorithm – Algorithm that provides data integrity across the wireless medium to ensure to the receiver that the data frame was not tampered with.
1. The Authentication Framework • The authentication framework in 802.11 is the 802.11 authentication management frame. • The authentication frame facilitates Open and Shared Key authentication algorithms, yet the frame itself does not possess the ability to authenticate the client.