1.01k likes | 1.24k Views
Ch. 8 – Security (Draft). Cisco Fundamentals of Wireless LANs version 1.1 Rick Graziani Cabrillo College. Overview. The goals of network security are to maintain integrity, protect confidentiality, and ensure availability.
E N D
Ch. 8 – Security(Draft) Cisco Fundamentals of Wireless LANs version 1.1 Rick Graziani Cabrillo College
Overview • The goals of network security are to maintain integrity, protect confidentiality, and ensure availability. • The exponential growth of networking, including wireless technologies, has lead to increased security risks. • Many of these risks are due to hacking, as well as improper uses of network resources. • The specific weaknesses and vulnerabilities of WLANs will be covered. • Security configuration for APs, bridges, and clients will be shown and explained. Rick Graziani graziani@cabrillo.edu
What is security? • Security usually refers to ensuring that users can perform only the tasks that they are authorized to do and can obtain only the information that they are authorized to have. Rick Graziani graziani@cabrillo.edu
WLAN vulnerabilities • WLANs are vulnerable to specialized attacks. • Many of these attacks exploit technology weaknesses since 802.11 WLAN security is relatively new. • There are also many configuration weaknesses since some companies are not using the security features of WLANs on all their equipment. • Many devices are shipped with default administrator passwords. CommView DriftNet Rick Graziani graziani@cabrillo.edu
WLAN threats • There are four primary classes of threats to wireless security: • Unstructured threats - individuals using easily available hacking tools • Structured threats - Hackers who are more highly motivated and technically competent. These people know wireless system vulnerabilities, and they can understand and develop exploit-code, scripts, and programs. • External threats - They work their way into a network mainly from outside the building such as parking lots, adjacent buildings or common areas. • Internal threats - internal access and misuse account for 60 to 80 percent of reported incidents. Rick Graziani graziani@cabrillo.edu
Security Fundamentals • Wireless attack methods can be broken up into three categories: • Reconnaissance • Access attack • Denial of Service (DoS) Rick Graziani graziani@cabrillo.edu
Reconnaissance • Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. • Not usually illegal, but is illegal in some countries. • It is also known as information gathering and it usually precedes an actual access or DoS attack. • Reconnaissance is similar to a thief scouting a neighborhood for unsecure homes. • Wireless reconnaissance is often called wardriving. Rick Graziani graziani@cabrillo.edu
Reconnaissance - Wardriving Maps Rick Graziani graziani@cabrillo.edu
Stumbler Code of Ethics v0.2 • http://www.worldwidewardrive.org/ • By RendermanRender@Renderlab.net • These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them and to inform others of them to help keep this hobby safe and legal. • 1. Do Not Connect!!: • At no time should you ever connect to any AP's that are not your own. Disable client managers and TCP/IP stacks to be sure. Simply associating can be interpreted as computer trespass by law enforcement. • 2. Obey traffic laws: • It's your community too, the traffic laws are there for everyone's safety including your own. Doing doughnuts at 3am gets unwanted attention from the authorities anyways. Rick Graziani graziani@cabrillo.edu
Stumbler Code of Ethics v0.2 • 3. Obey private property and no-trespassing signs: • Don't trespass in order to scan an area. That's what the directional antenna is for :) You wouldn't want people trespassing on your property would you? • 4. Don't use your data for personal gain: • Share the data with like-minded people, show it to people who can change things for the better, use it for education but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity. • 5. Be like the hiker motto of 'take only pictures, leave only footprints': • Detecting SSID's and moving on is legal, anything else is irresponsible to yourself and your community. • 6. Speak intelligently to others: • When telling others about wardriving and wireless security, don't get sensationalistic. Horror stories and FUD are not very helpful to the acceptance of wardrivers. Speak factually and carefully, Point out problems, but also point out solutions, especially how we are not the problem because we don't connect. Rick Graziani graziani@cabrillo.edu
Stumbler Code of Ethics v0.2 • 7. If/When speaking to media, remember you are representing the community: • Your words reflect on our entire hobby and the rest of us. Do not do anything illegal no matter how much they ask. They may get pissed off, but at least you have demonstrated the integrity that this hobby requires. • This document is merely a set of suggestions for the Wardriving community, assembled over time from the Wardriving community. This is a living document so it will be updated from time to time. Suggestions and comments should be sent to Render@Renderlab.net. Feel free to copy, just make sure to leave the credits intact and a link back to the original if possible. Rick Graziani graziani@cabrillo.edu
Reconnaissance • Commercial wireless protocol analyzers like AiroPeek (by WildPackets), AirMagnet, or Sniffer Wireless can be used to eavesdrop on WLANs. • Free protocol analyzers like Ethereal or tcpdump fully support wireless eavesdropping under Linux. • Utilities used to scan for wireless networks can be active or passive. • Passive tools, like Kismet, transmit no information while they are detecting wireless networks. Rick Graziani graziani@cabrillo.edu
Access • System access, in this context, isthe ability for an unauthorized intruder to gain access to a device for which the intruder does not have an account or password. • Entering or accessing systems to which one does not have authorized access usually involves running a hack script or tool that exploits a known vulnerability of the system or application being attacked. • Includes • Exploitation of weak or non-existent passwords • Exploitation of services such as HTTP, FTP, SNMP, CDP, and Telnet. AirSnort Rick Graziani graziani@cabrillo.edu
Access - Rogue AP Attack • Most clients will associate to the access point with the strongest signal. If an unauthorized AP, which is generally a rogue AP, has a strong signal, clients will associate to the rogue AP. • The rogue APwill have access to the network traffic of all associated clients. • The rogue AP can also use ARP and IP spoofing to trick clients into sending passwords and sensitive information. Rick Graziani graziani@cabrillo.edu
CiscoWorks WLSE detects Rogue APs Rick Graziani graziani@cabrillo.edu
Access - Wired Equivalent Privacy (WEP) Attacks • Attacks against WEP include Bit Flipping, Replay Attacks, and Weak IV collection. • Many WEP attacks have not been released from the laboratory, but they are well documented. • One utility, called AirSnort,captures weak Initialization Vectors to determine the WEP key being used. AirSnort Rick Graziani graziani@cabrillo.edu
Denial of service (DoS) • DoS is when an attacker disables or corrupts wireless networks, systems, or services, with the intent of denying the service to authorized users. • DoS attacks take many forms. • In most cases, performing the attack simply involves running a hack, script, or tool. Rick Graziani graziani@cabrillo.edu
One utility, called Wlan Jack, sends fake disassociation packets, which disconnect 802.11 clients from the access point. Rick Graziani graziani@cabrillo.edu
The WLAN security wheel • An effective wireless security policy works to ensure that the network assets of the organization are protected from sabotage and from inappropriate access, which includes both intentional and accidental access. • All wireless security features should be configured in compliance with the security policy of the organization. • If a security policy is not present, or if the policy is out of date, the policy should be created or updated before deciding how to configure or deploy wireless devices. Rick Graziani graziani@cabrillo.edu
First generation wireless security • Many WLANs used the Service Set Identifier (SSID) as a basic form of security. • Some WLANs controlled access by entering the media access control (MAC) address of each client into the wireless access points. • Neither option was secure, since wireless sniffing could reveal both valid MAC addresses and the SSID. Rick Graziani graziani@cabrillo.edu
AP: "Allow any SSID" • Most access points have options like "SSID broadcast" and "Allow any SSID". • These features are usually enabled by default and make it easy to set up a wireless network. • The "Allow any SSID" option permits the access point to allow access to a client with a blank SSID. • The "SSID broadcast"sends beacon packets that advertise the SSID. • Disabling these two optionsdoes not secure the network, since a wireless sniffer can easily capture a valid SSID from normal WLAN traffic. • SSIDs should not be considered a security feature. Rick Graziani graziani@cabrillo.edu
AP: "Allow any SSID" No Client SSID, but Associated! Set Guest Mode SSID • If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. • The access point includes the guest SSID in its beacon. • By default, the access point's default SSID, tsunami, is set to guest mode. • However, to keep your network secure, you should disable the guest mode SSID on most access points. AP Default Rick Graziani graziani@cabrillo.edu
AP: “Do NOT allow any SSID" No Client SSID, NOT Associated! • Setting the Guest Mode SSID to NONE, will not allow clients that do not have and SSID to be able to associate. • Remember, it’s not difficult for someone to get the SSID, so this should not be a security measure. • The next step should be configuring WEP, WPA, or some other authentication/encryption on your AP. • You cannothave the same SSID set as Guest Mode and authentication/encryption. Changed to NONE Rick Graziani graziani@cabrillo.edu
Wired equivalent privacy (WEP) AP • The IEEE 802.11 standard includes WEP to protect authorized users of a WLAN from casual eavesdropping. • The IEEE 802.11 WEP standard specified a 40-bit key, so that WEP could be exported and used worldwide. • Most vendors have extended WEP to 128 bits or more. • When using WEP, both the wireless client and the access point must have a matching WEP key. • WEP is based upon an existing and familiar encryption type, Rivest Cipher 4 (RC4). 128 bit WEP is sometimes referred to, and more accurately, as 104 bit WEP. Also, be sure Transmit Key numbers match, I.e. Key 1 on the both AP and ACU. ACU Rick Graziani graziani@cabrillo.edu
Authentication and association • Open Authentication and Shared Key Authentication are the two methods that the 802.11 standard defines for clients to connect to an access point. • The association process can be broken down into three elements known as probe, authentication, and association. • This section will explain both authentication methods. Probe process Authentication process Association process Successful Authentication Successful Association State 1 Unauthenticated Unassociated State 2 Authenticated Unassociated State 3 Authenticated Associated Deauthentication Disassociation Rick Graziani graziani@cabrillo.edu
Open Authentication • Open Authentication is basically a null authentication, which means there is no verification of the user or machine. Rick Graziani graziani@cabrillo.edu
Authentication Process (Review) • On a wired network, authentication is implicitly provided by the physical cable from the PC to the switch. • Authentication is the process to ensure that stations attempting to associate with the network (AP) are allowed to do so. • 802.11 specifies two types of authentication: • Open-system • Shared-key (makes use of WEP) Rick Graziani graziani@cabrillo.edu
Authentication Process – Open-System (Review) • Open-system authentication is really “no authentication”. • Open-system authentication is the only method required by 802.11 • You could buy an AP that doesn’t support Shared-key • The client and the station exchange authentication frames. Rick Graziani graziani@cabrillo.edu
Authentication Process – Open-System (Review) • The client: • Sets the Authentication Algorithm Number to 0 (open-system) • Set Authentication Transaction Sequence Number to 1 • The AP: • Sets the Authentication Algorithm Number to 0 (open-system) • Set Authentication Transaction Sequence Number to 2 • Status Code set to 0 (Successful) Frame Control omitted in this Authentication Response Rick Graziani graziani@cabrillo.edu
Open Authentication • Typical Open Authentication on both AP and Client with No WEP keys Rick Graziani graziani@cabrillo.edu
Open Authentication and WEP • Remember there are three steps to Association: • Probe • Authentication • Association • A client can associate with an AP, but use WEP to send the encrypted data packets. • Authentication and data encryption are two different things. • Authentication – Is the client allowed to associate with this AP? • Encryption – Encrypts the data (payload) and ICV (Integrity Check Value) fields of the 802.11 MAC, not the other fields. • So a client could Associate with the AP, using Open Authentication (basically no authentication), but use WEP to encrypt the data frames sent after its associated. Rick Graziani graziani@cabrillo.edu
Open Authentication and WEP • In some configurations, a client can associate to the access point with an incorrect WEP key or even no WEP key. • The AP must be configured to allow this (coming). • A client with the wrong WEP key will be unable to send or receive data, since the packet payload will be encrypted. • Keep in mind that the header is not encrypted by WEP. • Only the payload or data is encrypted. Associated but data cannot be sent or received, since it cannot be unencrypted. Rick Graziani graziani@cabrillo.edu
Open Authentication - Optional WEP Encryption (AP) • 802.11 allows client to associate with AP. • Cisco AP must have WEP Encryption set to Optional • Association successful with any of these options on the client: • Matching WEP key • Non-matching WEP key • No WEP key Rick Graziani graziani@cabrillo.edu
Authentication Process – Shared-Key • Shared keyrequires the client and the access point to have the same WEP key. • An access point using Shared Key Authentication sends a challenge text packet to the client. • If the client has the wrong key or no key, it will fail this portion of the authentication process. • The client will not be allowed to associate to the AP. Rick Graziani graziani@cabrillo.edu
Authentication Process – Shared-Key (Review) • Shared-key authentication uses WEP (Wired Equivalent Privacy) and can only be used on products that support WEP. • 802.11 requires any stations that support WEP to also support shared-key authentication. Rick Graziani graziani@cabrillo.edu
Authentication Process – Shared-Key (Review) • WEP is an encryption algorithm, not a method of authentication. • Shared-key authentication makes use of WEP, and therefore can only be used on APs and clients that implement WEP. • However, 802.11 requires that any stations implementing WEP also implement shared key authentication. • Shared-key authentication requires that a shared key be distributed to stations before attempting authentication. Shared-key = RadiaPerlman Shared-key = RadiaPerlman Authentication Request with Challenge Text Authentication Response with Status Code Rick Graziani graziani@cabrillo.edu
Authentication Process – Shared-Key (Review) • The client: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 1 • The AP: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 2 • Status Code set to 0 (Successful) • Challenge Text (later) • The client: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 3 • Challenge Text (later) • The AP: • Sets the Authentication Algorithm Number to 1 (shared-key) • Set Authentication Transaction Sequence Number to 4 • Status Code set to 0 (Successful) Rick Graziani graziani@cabrillo.edu
Authentication Process • Authentication • Open-System • Shared-Key (WEP) • Encryption • None • WEP only or Rick Graziani graziani@cabrillo.edu
Authentication Process – Shared-Key ? next Rick Graziani graziani@cabrillo.edu
Access Point Authentication • Open Authentication—Allows your client adapter, regardless of its WEP settings, to authenticate and attempt to communicate with an access point. Open Authentication is the default setting. • Shared Key Authentication—Allows your client adapter to communicate only with access points that have the same WEP key. This option is available only if Use Static WEP Keys is selected. • In shared key authentication, the access point sends a known unencrypted "challenge packet" to the client adapter, which encrypts the packet and sends it back to the access point. The access point attempts to decrypt the encrypted packet and sends an authentication response packet indicating the success or failure of the decryption back to the client adapter. If the packet is successfully encrypted/decrypted, the user is considered to be authenticated. • Note Cisco recommends that shared key authentication not be used because it presents a security risk. Rick Graziani graziani@cabrillo.edu
Encryption Modes • Indicates whether clients should use data encryption when communicating with the device. The three options are: • None - The device communicates only with client devices that are not using WEP. • WEP Encryption - Choose Optional or Mandatory. • If optional, client devices can communicate with this access point or bridge with or without WEP. • If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits. Rick Graziani graziani@cabrillo.edu
In Summary • Client • Use Open Authentication on the client (does not use WEP, challenge transaction, during authentication). • Use WEP for Data Encryption. • AP • Use Open Authentication • Use Mandatory WEP Encryption, Devices not using WEP are not allowed to communicate. Rick Graziani graziani@cabrillo.edu
Wi-Fi WPA Presentation • Welcome to the Wi-Fi Protected Access (WPA) Security Web page. Here you will find all the latest updates on WPA and the Wi-Fi Alliance's wireless LAN security improvements. • A 60-minute Web cast regarding WPA and the Wi-Fi Alliance's response to the need for improved WLAN security was held on June 11, 2003. The Web cast included a 40-minute presentation titled "Wi-Fi Protected Access: Locking Down the Link," in which Michael Disabato (Senior Analyst, Burton Group) reviewed the features and benefits of WPA, highlighted wired equivalent privacy (WEP) weaknesses, discussed wireless LAN implementation issues, reviewed the second phase of WPA (WPA2) and provided WLAN security recommendations. Mr. Disabato's presentation was followed by a 20-minute question and answer session that included several of the industry's most knowledgable WLAN security experts. http://www.wifialliance.org/opensection/protected_access.asp Rick Graziani graziani@cabrillo.edu
AES • WEP encryption and 802.11 authentication are known to be weak. • IEEE and WPA are enhancing WEP with TKIP and providing robust authentication options with 802.1Z to make 802.11 based WLANs more secure. • At the same time, IEEE is also looking to stronger encryption mechanisms. • IEEE has adopted AES to the data-privacy section of the proposed 802.11i standard. • WPA does not include support for AES encryption. • Later versions of WPA are likely to be released to align with 802.11i for interoperable AES encryption support. • AES is the next generation encryption function approved by the National Institute of Standards and Technology (NIST). Rick Graziani graziani@cabrillo.edu
Basic WLAN security - Physical Access • Most wireless access points are easily accessible. • They are usually located near users and outside of locked rooms. • This puts wireless access points at special risk for theft and for compromise by malicious users. • Network monitoring can be used to determine when an access point goes off. • Proper procedures will need to be followed to determine what happened to the equipment. • Almost all wireless vendors publish the methods of resetting an access point using reset buttons or the console port. Rick Graziani graziani@cabrillo.edu
Basic WLAN security - Console • Administrator accounts and privileges should be setup properly. • The console port should be password protected. Choose a secure password Rick Graziani graziani@cabrillo.edu