310 likes | 420 Views
Wireless Access and Security. Dr. Lenny Superville, Ph.D CIO: NC Office of the State Auditor NC Digital Government Summit September 13-14, 2005. Focus in this Presentation.
E N D
Wireless Access and Security Dr. Lenny Superville, Ph.D CIO: NC Office of the State Auditor NC Digital Government Summit September 13-14, 2005
Focus in this Presentation • Why some Government Agencies choose to go with Proprietary instead of Standards Based Wireless Networks (WLANs)? Then, why some don’t? • Some Well Used Proprietary Wireless Networks – Secret • A survey of 802.11 (WI-FI)/WLANs wireless networking standards -Open • Hackers’ tools used to sniff or intrude WLAN networks - Threats • Effective options to keep unauthorized users/hackers out of WLAN networks- Countermeasures • A Protection Methodology for WLAN Mobile Computing – While Performing Day-to-Day Operations
At the End of this Presentation, you should be able to understand: • The major security concerns associated with the various wireless topologies, especially standards based • The vulnerabilities of WLAN mobile computing environments • The defenses available to protect WLAN mobile computing environments • Best Practices to implement and maintain data security while using wireless data communications in day-to-day operations
Well Known Examples of Secured Proprietary Wireless/Wired Networks • Proprietary means (Secret encryption algorithm + Hardware): • NIPRNET – (DoD) Unclassified but Sensitive Internet Protocol Router Network (BLUE) • SIPRNET - (DoD) ClassifiedInternet Protocol Router Network (RED) • Lord Warrior Computer/Radio Subsystem – (Army) • CAISI (Army) – Combat Service Support Automated Information System Interface. • The lesser known the better security • Beware: This technology requires additional, costly hardware and IT staff to implement and maintain.
Characteristics of Proprietary Enterprise Wireless Secured Networks – Complete Solution • Sophisticated Encryption • Strong Authentication • Stringent Access Control • http://www.airdefense.net/ • http://www.cisco.com/ • http://www.airmagnet.com/ • This combined technology implementation is so successful because it acts as a secure gateway to numerous networks that must be accessed • Questions – 5 minutes
WLANS - Wireless Networking/IEEE Standards - Open WEP/WLAN/Radio Waves • 802.11 or WI-FI • 802.11b: 2.4Ghz, 11Mbps • 802.11a: 5.8Ghz, 54Mbps • 802.11g: 2.4Ghz, 54Mbps • 802.11i: Security solution for 802.11a/b/g 802.11a and 802.11g are both 54Mbps; 802.11g –lower operating frequency, greater range EAP: Short for Extensible Authentication Protocol, is a general protocol for authentication IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.
IEEE 802.11 WLANS (Standards Based - Open) • WEP – Fix Key: Can be broken, Machine Authorization only • EAP-MD5 – No Certificates, TKIP (Rotating Key - Dictionary Attack), Human Authentication (802.1x), Server Authorization, • EAP-LEAP - No Certificates, TKIP • EAP-TLS - 2 Certificates, TKIP • EAP FAST – No Certificates (All CISCO) • EAP-TTLS – 1 Certificates, TKIP • EAP-PEAP – 1 Certificates, TKIP • EAP-WPA – 802.11 TKIP? • EAP-WPA2 – 802.11, CCMP, AES (3 Key sizes) • AES may be the answer to secure standards based WLANS.
Examples of Government Efforts to Implement 802.11 Wireless Networks (WLANs) • In the 1990’s Wireless Equivalency Protocol (WEP) protocol was attempted but in 2001 security exposures were found in IEEE 802.11b networks • In the 1990’s Data Encryption Standard (DES) was found to be vulnerable • As of 2002, Advanced Encryption Standard (AES) with its 3 different key sizes – 128, 192 and 256 bit – may be the solution. • As of 2005, AES is still the best bet for a secured WLAN.
Threats to WLANS - A threat can be the perception of insecurity War Driving – driving through a street to discover wireless networks – for possible attack or just for the hell of it. • Netstumbler is a well known freeware tool used to discover WLANs if the SSID (network name) is enabled • Kismet discover WLANs even if the SSID is disabled • KISMAC – Can be used for Security/Intrusion
Examples of War Driving Tools - Intrusion is entry by force or without permission or welcome Check http://www.netstumbler.com • Netstumbler (Windows); Ministumbler (CE/PocketPC) Check http://www.kismetwireless.net • Kismet (Linux/Unix) Check http://www.remote-exploit.org • Wellenreiter (Linux/Unix)
Some Major Threats – You should know • Wired Mobile LANs used for training at Corp. sites (e.g. Ethernet) • Wireless Mobile Wireless LANs used for training at Corp. sites (e.g. WEP, EAP-WPA2) • Wireless Internet Service Provider (WISP) – Theft of Service • Hotspot Hijinks - Pagejacking • Wireless Sniffing – Interception of Traffic Note: Wireless Sniffing is passive in nature and hence undetectable
Countermeasures to WLANS - A countermeasure an action taken to offset another action A countermeasure is a system (usually for a military application) designed to prevent weapons (Threats) from acquiring and/or destroying a target (WLANs)
WLANs Countermeasures: Are they reliable? • Wired Equivalent Privacy (WEP): a security protocol for wireless local area networks (WLANs) • Attributes: • Defined in the 802.11b standard. • IEEE security for 802.11 – component of • Concerns: • AirSnort, once enough packets are gathered, can guess the encryption password in less than a second • Uses RC4 encryption • Improper use of IV makes protocol vulnerable • Uses only one key – never changed Note: 128 bit WEP is not officially part of the standard – some manufacturer’s key entry methods are incompatible
Countermeasures: Reliable? (Cont’d) • Service set identifier (SSID)/password is also referred to as a network name • Attributes: • Blanks SSID field in 802.11 Beacon Flame • Disables response to any Probe Request • No SSID – no association – (T/F)? • Concerns: • SSID is broadcast in all client association frames in the clear • Tools can force client to disassociate and re-associate to expose the SSID ESSID-Jack, a freeware tool, can expose a hidden SSID in seconds
Countermeasures: Reliable? (Cont’d) • MAC Address Filtering: Media Access Control address, a hardware address that uniquely identifies each node of a network • Attributes: • Place authorized MACs in each AP • If you don’t have a valid MAC, you can’t get in, (T/F)? • Concerns: • MACs are easily sniffed More than 50% of WLANS in major cities have no security.
Countermeasures: Reliable? (Cont’d) Cisco LEAP (Lightweight Extensible Authentication Protocol): Attributes: • Username/Password required for access • WEP keys rotate, making AirSnort useless • EAP-MSCHAPv2 can be used as an inner authentication method with EAP-PEAP and EAP-TTLS. • Concern: • Use of MS-CHAPv2 exposes credentials to devastating and efficient dictionary attack See: http://asleap.sourceforge.net for additional details Best Buy and Lowe’s have experienced WLAN security breaches
Countermeasures: Reliable? (Cont’d) IPSec Overlay: IPSec is an Internet standard framework for the establishment and management of data privacy between network entities. Attributes: NAT and NAPT are techniques used to share and hide private IP addresses on edge devices like routers and firewalls. Concerns: Unfortunately, when an IPsec session runs through NAT or NAPT, security is often compromised 1. Broadcast frames unencrypted 2. ARP poisoning…. DoS attack 3. Client protection only after authentication
Countermeasures: Reliable? (Cont’d) 802.1x / WPA / 802.11i: Wi-Fi Protected Access for WLANS Attributes: • In the 802.11 standard, 802.1x authentication was optional; 802.1x authentication is required in WPA; • The 802.11i standard addresses many of the security issues of the original 802.11 standard. Concerns: • Single factor authentication (with few exceptions) • Multiple EAP types offer questionable security and vendor incompatibilities • Attacks already presented against WPA WPA is a built in security mechanism to prevent authentication attacks that shut down APs, sometimes up tp one minute. Questions – 5 minutes
Best Practices to implement & maintain data security – While Performing Day-to-Day Operations with WLANs • Risk Analysis – Assess vulnerabilities of the Security Architecture • Well Written Security Policies • A Secure Environment for Applications that produce data – Strong Passwords • Secure Servers where the data is stored – Robust Physical/Network Access • Secure Network Level – Firewall, IPS, IPD, etc • Protection against Rogue Access Points
A Protection Methodology - Now that some of the risks are understood, some prevention methods in a network infrastructure will be discussed. • a. Host Protection – Remote Users • b. Data Encryption – Remote Users & Internal Network • c. Access Methods – Client vs Clientless VPNs • d. Authentication Technologies – Control Access to Resources • e. Endpoint Security Compliance – Minimum Requirements for Access • f. Protecting Internal Systems – Modular Approach • g. Environments Favorable to Working with Wireless- Firewalls, Anti-Virus, Strong Authentication, etc.
a. Host Protection (Remote User) – A centrally managed anti-virus platform is key Protecting a remote host is paramount to protecting corporate data, assets and services. This can be accomplished by using a centrally managed anti-virus platform that: • • Provides visibility to remote systems upon connection • • Pushes updates to remote systems • • Synchronizes log information A centrally managed host firewall platform that resides on the laptops and also provides some form of intrusion detection/ prevention will protect a remote host and the internal network. Visibility on connection attempts and intrusion attempts will enable system administrators to fine-tune and adjust the technical controls and strengthen the overall posture of the organization.
b. Data Encryption- provides a measure of confidentiality • Users need to be aware of the risks associated with data on mobile devices. Ask yourself “what will be the situation if this device is lost or stolen?” • Data encryption provides a measure of confidentiality if the laptop were to be lost, stolen or accessed by an unauthorized individual. • This can be accomplished by numerous commercially available products. • One drawback to the user of data encryption is the potential for a user to experience latencywhile working with encrypted files.
c. Access Methods – A case for Client VPN (Fat Client) A traditional virtual private network (VPN) connection that utilizes industry standard encryption can provide local-like access to remote resources. VPNs typically require the use of a client or software utility that provides the mechanism for remote connectivity. VPN clients can provide a level of security to the remote host by disallowing unsolicited connections from unauthorized hosts
c. Access Methods – A case for Clientless VPN (Thin Client) Clientless VPNsare becoming more popular and are implemented using secure sockets layer (ssl) technology. These operate in the same manner as a secured website (online banking) and can provide an access capability similar to a client VPN. There are limitations as to the types of services that can be used, but many of these limitations can be overcome by implementing enhancements such as web-enabled application servers. Web-enabled application services, e.g. Citrix, can also mitigate many of the issues relative to client VPNs. This approach provides only a “window” for the remote user to perform tasks, while using the operating system and resources of the application server. System administrators can focus much of their effort on maintaining the application server and less on the remote hosts.
d. Authentication Technologies - To control access to resources User authentication is the method used to control access to resources and ensure that only authorized individuals are permitted access to internal systems. A standard username and password are the primary credentials required for access to most systems. These, however, can be easily compromised or guessed if a strong password policy isn’t implemented and enforced. Two-factor authentication is a method that combines something you know (word, phrase, or numbers) with something you have (token). This method of access ensures that only individuals in possession of a device (token) with the correct pin can gain entry to corporate resources. Brute force attacks launched against a corporate asset protected by two-factor authentication are futile.
e. Endpoint Security Compliance - minimum requirements for access • Written policy, standards and guidelines are important and must address such issues as support, operating systems, minimum browser versions and minimum patch levels. • This policy should also state what is prohibited, such as user-installed applications or spyware. • This security policy enforcementcan be accomplished with technical controls as a user attempts to connect to the network.
e. Endpoint Security Compliance –(Cont’d) • Hosts can be audited for domain membership, the existence and status of anti-virus software, patch revision levels, intrusion detection signature revision levels and operating system configuration. • Checks can also be performed to insure that rogue software is not present on the machine such as peer-to-peer file sharing applications and instant messaging. • Checking the remote host “at the door”, prior to allowing access to internal resources, is a measure that can prevent the introduction of a multitude of issues to a protected network.
f. Protecting Internal Systems –modular, VLANS, depth/defense – A solid network design will take a modular approach by placing resources in a manageable area that can be monitored and protected. The use of virtual local area networks (VLANs) in conjunction with intrusion detection and intrusion prevention (IDS/IDP) systems can provide an additional layer of protection from potential attacks via remotely connected hosts. This method adds an additional layer of visibility to network activity internal to the organization. Providing access to internal resources is necessary, but ensuring that the internal network is protected from the home/hotel/airport, etc users are oftentimes overlooked.
g.Environments Favorable to Wireless Computing - Firewall protection, anti-virus and strong authentication Accessing the Internal Network is possible from many environments and across many types of potentially hostile networks. To protect the remote device and its data while in these hostile environments, several minimum security controls should be in place: Firewall protection, anti-virus and strong authentication for the remote access technology are essential. Firewall protection can exist in the form of software on the PC, or in the form of hardware like the small consumer devices that are available. Wireless hotspots, foreign corporate environments, hotel rooms, home networks and coffee shops are all capable of being “home” to a remote user, and all present threats to the “trusted” device while remote
Any Questions? Dr. Lenny Superville, Phd Chief Information Officer (CIO) Office of the State Auditor 2 S. Salisbury Street 20601 Mail Service Center Raleigh, NC 27699-0601 Tele: (919) 807 7625 Fax: (919) 807 7647 lenny_superville@ncauditor.net