620 likes | 1.81k Views
FORE SEC Academy Security Essentials. Wireless Network Security. Objectives. Learn how wireless networks are used Wireless architecture and protocols Common misconceptions Top 5 security risks Steps to planning a secure WLAN. Popular Wireless Devices.
E N D
FORESECAcademySecurity Essentials Wireless Network Security
Objectives • Learn how wireless networks are used • Wireless architecture and protocols • Common misconceptions • Top 5 security risks • Steps to planning a secure WLAN
Popular Wireless Devices • Personal Digital Assistants (PDA) • Cellular Phones • Handheld Computers • Laptops • Pagers
Wireless Advantages • Wiring takes time and money; wireless drastically reduces these costs • Users can access the network from anywhere • Mobility and connectivity • Usable in environments where wiring is difficult - Historic buildings - Factories, assembly lines, warehouse floors, hospitals, and financial trading floors -Temporary networks, such as exhibitions
Vertical Markets • Healthcare • Financial • Academia • Factories/Industrial • Retail
Wireless Architecture andProtocols • Ad-Hoc Networks • Infrastructure Networks • WAP • Bluetooth • 802.11
Ad-Hoc Architecture • Peer-to-peer networking • Unstructured connectivity • Used for LANs or PANs • Typically short-lived in duration • Often used for .point. connectivity • solutions
Infrastructure Architecture • Uses centralized access point or base station • Centralized authority for access to the medium • Typically responsible for security • Communicates with other centralized peers for roaming
Wireless Application Protocol(WAP) • WAP forum formally approved WAP 2.0 • Operates over a multitude of different wireless technologies: -Cellular Digital Packet Data (CDPD), Code Division Multiple Access (CDMA), and Global System Mobile (GSM) • Enables a multitude of wireless devices, including cell phones and PDAs, to have common access to the Internet • Built-in security at the transport layer
The “WAP Gap” • WTLS: Wireless Transport Layer Security • Used in version before WAP 2.0 • Requires WAP gateway to decrypt WTLS • transmission, and then re-encrypt as TLS/SSL • Sensitive data is exposed as it traverses the • gateway
Protecting Gateways • Ensure that WAP gateway never stores decrypted content on secondary media • Implement additional security at higher protocol layers • Physically secure the WAP gateway • Limit remote administrative access to the WAP gateway to inside the corporate firewall boundary • Add WAP devices to your PKI
Bluetooth • Used to connect disparate devices - Laptops, PDAs, and cell phones • Maximum bandwidth: 1 Mbps • No line-of-sight requirement • Supports data, voice, and content-centric applications • High degree of interference immunity • Up to seven simultaneous connections
Bluetooth Security • End user utilizes a PIN that is 4-16 bytes in length between multiple devices • Bluetooth uses the pin and its MAC address to generate security keys • Keys are used to authenticate Bluetooth “peers” and to encrypt transmission data
Bluetooth Security Issues • Susceptible to eavesdropping • Encryption mechanisms are often weak • Simple PIN numbers are often poorly selected and inadequate security • Tools such as RedFang and BlueSniff aredesigned to locate Bluetooth networks
802.11 Wireless • Supports ad-hoc and infrastructure networks • Supports roaming, fragmentation and reliable data delivery (positive acknowledgement) • Branched into 802.11a, 802.11b, and 802.11g -802.11a supports up to 54 Mbps @ 5GHz - 802.11b supports up to 11 Mbps @ 2.4GHz - 802.11b supports up to 11 Mbps @ 2.4 GHz
WEP Security Issues • WEP has proven to be an insecure encryption mechanism • Shared secrets do not remain secretive • Inability to rotate WEP keys produced stagnant shared secret implementations • Flaws in WEP implementation permit recovery of shared secrets • Accelerated WEP cracking becoming common
Improved 802.11 Security • IEEE 802.11i and 802.1x committees tasked with securing WLANs • 802.1X protocols improve WLAN security, but are still fallible • WPA-I protocol is better, but still has weaknesses that can be exploited • Future 802.11i/AES encryption has positive outlook
Common Misconceptions • General misconceptions • Technical misconceptions • Risk misconceptions
General Misconceptions • “I don’t need to worry about security because we aren’t using wireless for sensitive data” • “We don’t have any wireless”