1 / 42

NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Guidelines & Baselines

Learn about essential wireless LAN security policies, password guidelines, user training, and infrastructure management. Understand the importance of asset management, change programs, and security checklists. Ensure consistent implementation for a secure wireless environment.

pmaryann
Download Presentation

NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Guidelines & Baselines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NETW 05A: APPLIED WIRELESS SECURITY Functional Policy:Guidelines & Baselines By Mohammad Shanehsaz

  2. Objectives • Explain the purpose and goals of the following wireless LAN security policies: • Password policy • User training • On-going review ( auditing ) • Acceptable use & abuse policy • Consistent implementation procedure • Centralized implementation and management guidelines and procedures

  3. Objectives • Explain necessary items to include in the creation and maintenance of a wireless LAN security checklist • Describe and recognize the importance of asset management and inventory procedures for wireless LANs • Explain the importance of including wireless LANs in existing change management programs

  4. Functional policy • Policy Essentials • General Guidelines • Baseline practices

  5. Policy Essentials • Every security policy should implement the following topics : • Password policies • Networking staff and end user training requirement • Acceptable use • Consistent implementation / staging procedures • Readily available implementation and management procedures • Regular audits and penetration tests by independent professionals

  6. Password policies • Passwords are the most widely used method of authentication and authorization; however there are number of ways to compromised it such as : • Eavesdropping • Dictionary attack against a network authentication server • Borrowing a user password • Easy to guess password • Getting it from users who leave them out in the open ( the sticky note approach )

  7. Practicing good password procedures • Use a password that is mixed case, has punctuation, and uses alpha and numeric digits • Use something that can be remembered without being written down • Force periodic password changes • Lockout accounts after 5 unsuccessful login attempts • Make sure all passwords are at least 8 characters in length • Do not allow passwords to be reused

  8. Networking staff and end user training • Network staff responsible for wireless LAN security need to understand many subject areas including intrusion techniques, wireless security policy, and solutions, in addition to having a solid grasp on basic wireless LAN functionality and technology. • End user must have adequate training in order to properly implement security controls on their computers and that it only takes one person not following policy to create a large security hole that can be exploited by an attacker

  9. Acceptable use • Wireless LANs are a half-duplex medium, therefore bandwidth intensive applications such as FTP, peer-to-peer file sharing, and streaming video should only performed over the wired LAN, otherwise it may cause DOS on APs with many stations • To prevent this, there should be a section in the policy regarding acceptable use of the wireless LAN that define what scenarios constitute proper use as well as abuse

  10. Consistent implementation / staging procedures • It is common for a network administrator to place a wireless LAN infrastructure device onto the network without having first staged and configured the device to meet the organization’s security policy, which is in effect like placing a rogue AP on the network, to battle this problem guidelines on how and when to stage and install devices should be part of functional policy

  11. Readily available implementation and management procedures • It is important that network administrator have the information provided by the company security policy readily available so that they verify procedural steps while performing their daily tasks

  12. Regular audits and penetration tests by independent professionals • In order to find security holes internal and external audits are a necessary part of wireless network security • Internal audits will usually find most policy violation, but holes in security solution will usually require employing an independent wireless security professional • It should be done unannounced

  13. General Guidelines • Wireless network segments should always be treated as unsecured means of data transit • Follow the following rules when passing data wirelessly : • Encrypt email • Use HTTPS for web logins where possible • Use SSH2 instead of telnet where possible • Use secure FTP (SSH2 or SSL) for file transfers • Verify the latest operating system updates or service packs are installed

  14. Security checklist • It is advisable to make security checklists for use by network administrators that includes the following items: • Access point and bridge configuration settings • Client-side software installation and settings • Physical security when mounting access points and bridges • End user security solution training

  15. Available Network Resources • Since wireless LANs present security risk, that added risk may be significantly reduced by eliminating the availability of certain services to wireless segment

  16. Asset Management • Since enterprise class wireless LAN hardware can be quite expensive and since much of it is very small and lightweight, this equipment can be easily stolen if not secured, for this reason it is necessary to record all the wireless hardware for periodic inventory, and employee should be required to sign for the hardware they receive

  17. Periodic Inventory • It is a good practice to periodically check infrastructure devices to make sure they are both present and are the correct unit • In large organizations, this type of inventory might be impossible, so other solutions might have to be implemented

  18. Change Management • Wireless LANs should be a part of the existing corporate change management procedures • There are two things to consider: • First the security policy itself should be periodically evaluated for relevance and modified when necessary • second once a secure wireless is in place, any changes to it should be documented and approved by corporate authorities

  19. Spot-checks & Accountability • Some of the most effective methods for ensuring properly implementing wireless LAN security may include: • Thoroughly training end-users • Spot checking for internal policy adherence • Tying adherence and enforcement of policy to departmental compensation

  20. Baseline practices • SSIDs • MAC filters • Static WEP • Default Configuration settings • Firmware Upgrades • Rogue Equipment • Outdoor Bridge Security • RF Cell Sizing • SNMP Community Strings

  21. Baseline practices continue • Discovery protocols • Remote Configuration • Client Security • IP Services • Switches vs. Hubs • Staging and Testing • Equipment Installation

  22. SSIDs • The default SSID should be changed on all access points, to something cryptic and not something that could be used to determine the company to whom the AP belongs • By default an AP broadcasts SSID, by not broadcasting SSIDs in beacons “Closing the system “ prevents intruders from passively locating the network

  23. MAC Filters • MAC address filtering is another method by which the IEEE 802.11 task group attempted to secure wireless networks, traffic is allow or deny based on MAC address • It is both simple and common for a hacker to spoof the MAC address of another NIC

  24. Using Static WEP • Static WEP may be appropriate for SOHO environment, but not for enterprise WLAN • When implemented the largest key size available that is supported by the hardware should be used • When static WEP is used, strong keys should be created that are unrelated to the following: • Organization’s name, address, or phone number • Wireless LAN’s SSID • Access points’or bridges’ model number(s) or manufacturer’s name • Manufacturer default WEP keys

  25. Default Configuration settings • The default configuration settings on all APs should be changed, since an infrastructure reconfiguration attack can occurs if an attacker obtain management access • To prevent attack the default username and password should be changed on all infrastructure devices

  26. Firmware Upgrades • Firmware upgrades can provides new security functionality as well as bug fixes or security patches • Firmware should be upgraded for the following devices: • Access points • Wireless Bridges • Client devices • Client or Workgroup Bridges • Enterprise Wireless Gateways • Enterprise Encryption Gateways

  27. Firmware Upgrades • It is a good practice to test end-to-end functionality in a lab environment prior to rolling it out enterprise wide • Firmware upgrades are suggested in order to gain the following features: • TKIP (or similar key rotation protocol) support • Kerberos support • 802.1X/EAP(-TLS,-TTLS,-LEAP,-PEAP)support • WPA compliance • Advanced Encryption Standard (AES) support • VPN support • Rogue access point detection • RADIUS or LDAP support • Role-based access control

  28. Rogue Equipment • Anytime rogue equipment is present in a network, the incident should be considered a serious breach of network security • Eliminating rogue wireless equipment is a multi-step process which includes: • Setting Corporate Policy Regarding Rogue Equipment • Network Administrator Training • Help Desk & End User Training • Intrusion Detection Systems & Audits

  29. Outdoor Bridge security • Outdoor WLAN bridge links may often span miles, this can allow an intruder the opportunity to remain undiscovered • Bridges may act as both a bridge and an access point simultaneously, if possible client connectivity at the bridge should be disabled • Clear text transmission should not be allowed to pass between bridges at any time. • Wireless bridge installation can be compromised through rogue bridges

  30. Outdoor Bridge security • Wireless bridge installation can be compromised through rogue bridges, which can be placed onto the network at a range of several miles • To overcome this a good security must be chosen and implemented

  31. RF Cell Sizing • Accurate cell sizing can aid in preventing war drivers from being able to locate your network • You can limit cell by reducing the output power of the access points and antennas • After WLAN configuration administrator should attempt a footprint analysis to determine how easily the network can be targeted using omni and directional antennas

  32. SNMP Community Strings • SNMP community strings should be changed or disabled, because default read and write passwords are clearly documented in users manual • Disable SNMP access if it will not be used, if used set the read and write community strings to complex, non-default values that are not related to network’s SSID, WEP, or organizational information • Disable SNMP access from outside by using ACL or firewall filtering

  33. Discovery Protocols • When discovery protocols (such as CDP) are not in use they should be disabled

  34. Remote configuration • If manufacturer feature sets allow for it, configure APs and bridges so that they cannot be configured over wireless network segment, to prevent compromising authentication information, unless the wireless link is encrypted

  35. Client Security • Wireless security policy should limit any sensitive data on the client machines that could damage the organization • Shared folders should be limited or even prohibited on wireless client machine • Using corporate PCs without protection on public access wireless networks are prohibited • There are many tools such as personal firewalls, VPN technologies such as, IPSec, that can be used to protect wireless clients • Make sure that clients don’t use unsecured wireless AP to VPN to corporate network

  36. IP Services • First step in securing IP services is to heighten general awareness of the possibility of rogue IP services such as DHCP servers. • Use data-link security mechanisms such as 802.1X/EAP solution to authenticate user prior to receiving an IP address • Earmarking IP ranges for WLAN segment is another way to speed location of hacker and to ease network management

  37. Switches vs. Hubs • Using switches to connect to the wired segment has the following benefits: • Support for security and network management tools such as VLANs • Support for 802.1q VLAN tagging • SSIDs are tied to VLANs as means of logically separating groups of wireless users • Allows for segmented network design and secure management over a particular VLAN • Allows for full-duplex connectivity . Hubs broadcast every frame to all ports, so hacker can see all the traffics

  38. Staging and Testing • Staging and testing should occur prior to deployment, wireless infrastructure devices should be staged and configured in an isolated environment for a secure deployment • Administrator should use approved security configuration checklists to assure that no security holes are created due to lack of following configuration procedures

  39. Equipment Installation • To prevent theft of wireless network equipment, devices should be: • Mount out of reach • Bolted down or secured in locked steel boxes • Kept out of plain site

  40. Summary • Guidelines and baselines of the functional policy was discussed • Policy cover password policies, training, usage, implementation and staging, procedures and audits • General guidelines cover the security checklist, available network resources, asset management, change management, and spot-checks and accountability

  41. Summary • Baseline practices consist of several strategic areas such as a basic SSID changes, MAC filtering inadequacies, WEP versus EAP/802.1x solutions, detecting rogue equipment, and wireless bridge security, that must be considered when implementing the wireless LANs

  42. Resources • CWSP certified wireless security professional, from McGrawHill

More Related